webEdition 6.3.8.0 Path Traversal Vulnerability

Vendor: webEdition e.V.
Vulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985)  and probably prior
Tested Version: 6.3.8.0 (SVN-Revision: 6985) 
Advisory Publication:  August 6, 2014  [without technical details]
Vendor Notification: August 6, 2014 
Vendor Patch: September 4, 2014 
Public Disclosure: September 17, 2014 
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2014-5258
Risk Level: Medium 
CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.


1) Path Traversal in webEdition: CVE-2014-5258

The vulnerability exists due to insufficient sanitization of the "file" HTTP GET parameter in "/webEdition/showTempFile.php" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. "../") and read contents of arbitrary files on the target system with privileges of the web server.

The exploitation example below display contents of "/etc/passwd" file:

http://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd

Successful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application. 

-----------------------------------------------------------------------------------------------

Solution:

Update to webEdition 6.3.9 Beta

More Information:
http://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen

#  0day.today [2018-03-14]  #