webEdition version 6.3.8.0 suffers from a path traversal vulnerability.
Vendor: webEdition e.V.
Vulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985) and probably prior
Tested Version: 6.3.8.0 (SVN-Revision: 6985)
Advisory Publication: August 6, 2014 [without technical details]
Vendor Notification: August 6, 2014
Vendor Patch: September 4, 2014
Public Disclosure: September 17, 2014
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2014-5258
Risk Level: Medium
CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.
1) Path Traversal in webEdition: CVE-2014-5258
The vulnerability exists due to insufficient sanitization of the "file" HTTP GET parameter in "/webEdition/showTempFile.php" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. "../") and read contents of arbitrary files on the target system with privileges of the web server.
The exploitation example below display contents of "/etc/passwd" file:
http://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd
Successful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application.
-----------------------------------------------------------------------------------------------
Solution:
Update to webEdition 6.3.9 Beta
More Information:
http://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen
# 0day.today [2018-03-14] #