Acuity CMS 2.6.x <= Path Traversal Arbitrary File Access

2012-06-03T00:00:00
ID SECURITYVULNS:DOC:28110
Type securityvulns
Reporter Securityvulns
Modified 2012-06-03T00:00:00

Description

  1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal.

  1. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class.

  1. VULNERABILITY DESCRIPTION

The issue is due to the script, /admin/file_manager/browse.asp, not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'path' parameter. It would allow the attacker to access arbitrary files outside of web root directory.

  1. VERSIONS AFFECTED

Tested with version 2.6.2.

  1. PROOF-OF-CONCEPT/EXPLOIT

http://localhost/admin/file_manager/browse.asp?field=&form=&path=../../

  1. SOLUTION

The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support.

  1. VENDOR

The Collective http://www.thecollective.com.au/

  1. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

  1. DISCLOSURE TIME-LINE

2012-05-20: vulnerability disclosed

  1. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal

yehg [2012-05-20]