360 Web Manager 3.0 Multiple vulnerabilities

2011-04-23T00:00:00
ID 1337DAY-ID-15911
Type zdt
Reporter Ignacio Garrido
Modified 2011-04-23T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Multiple vulnerabilities in 360 Web Manager 3.0
# Google Dork: "Powered by 360 Web Manager 3.0"
# Date: 15/04/2011
# Author: Ignacio Garrido
# Contact: [email protected]
# Software Link: www.360webmanager.com
# Version: v3.0
# Tested on: Linux *2.6.18*
 
#Vulnerability description:
 
360 Web Manager 3.0 makes use of a panel manager which uses a simple file
manager, this script don't require any authorization at all to upload, list,
or even delete files.
 
We can find this panel at: http://
[site]/adm/barra/assetmanager/assetmanager.php.
 
By looking the source code we can find the internal path of the application
right next to:"<input type="hidden" name="inpAssetBaseFolder0"
id="inpAssetBaseFolder0"
value=""
 
Trough a forged post we can manipulate the path of the folder to list or
delete: inpFileToDelete=%2FfileToDelete%2F&inpCurrFolder=%2FpathToList%2F
 
Also when uploading a file we can easily change the path of the folder by
changing the "inpCurrFolder2" parameter (there's no restriction to upload
php files!).
 
 
Possible solutions:
 
*Use the admin panel session to authenticate the use of the file manager.
 
*Forbid the upload of files with dangerous extensions such as .php,.php5,
etc.
 
*Give the appropriate permissions to read files within its own file
directory.



#  0day.today [2018-01-05]  #