0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CuteEditor for PHP 6.6 - Directory Traversal Vulnerability
[# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal
# Exploit Author: Stefan Hesselman
# Vendor Homepage: http://phphtmledit.com/
# Software Link: http://phphtmledit.com/download/phphtmledit.zip
# Version: 6.6
# Tested on: Windows Server 2019
# CVE : N/A
There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.
File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121
Vulnerable code:
[SNIP]
function ServerMapPath($input_path,$absolute_path,$virtual_path)
{
if($absolute_path!="")
{
return $absolute_path.str_ireplace($virtual_path,"",$input_path);
}
else
{
if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))
{
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
return $_SERVER["DOCUMENT_ROOT"].$input_path;
}
else
{
return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;
}
}
}
[SNIP]
ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.
File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56
Vulnerable function (renamefile, line 57):
[SNIP]
switch ($action)
{
[SNIP]
case "renamefile":
rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));
print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";
break;
[SNIP]
$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:
C:\Inetpub\wwwroot\..\..\..\poc.html
Final result: writes poc.html to the webroot.
STEPS:
1. Create a poc.html file (XSS PoC will do).
<HTML>
<title>Path Traversal PoC</title>
<BODY>
<h1>PoC</h1>
<script>alert('directory traversal');</script>
</BODY>
</HTML>
2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.
3. Select poc.html and select "Rename File".
4. Click on the pencil icon to the right of the poc.html file.
5. Rename file to "..\..\..\poc.html".
6. Press OK. poc.html is written three directories up.
This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.
# 0day.today [2024-11-16] #