Manx cms.xml 1.0.1 (simplexml_load_file()) Directory Traversal Vulnerability
Title: Manx cms.xml 1.0.1 (simplexml_load_file()) Directory Traversal Vulnerability
Advisory ID: ZSL-2011-5060
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 28.11.2011
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
[2] http://www.securityfocus.com/bid/50839
[3] http://osvdb.org/show/osvdb/77406
[4] http://osvdb.org/show/osvdb/77407
[29.11.2011] - Added reference [1] and [2]
[01.12.2011] - Added reference [3] and [4]
[03.12.2011] - Added vendor status
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-5060
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 28.11.2011
Summary
Manx is a Content Management System that uses xml text files to store the page contents, instead of a mysql database.Description
Input passed via the 'fileName' parameter thru the simplexml_load_file() function is not properly verified in '/admin/admin_blocks.php' and '/admin/admin_pages.php' (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.--------------------------------------------------------------------------------
/admin/admin_blocks.php
----------------
20: if ( isset($_REQUEST['fileName']) && ($_REQUEST['fileName'] !== '') && strstr($_REQUEST['fileName'], 'Dir') == false )
21: {
22: $fileName = $_REQUEST['fileName'];
23: }
24: else $fileName = $new_file;
...
...
193: if ( ($fileName != '') && (file_exists($pathAdminToBlocks . $fileName)) )
194: {
195: $simple_element = simplexml_load_file($pathAdminToBlocks . $fileName);
--------------------------------------------------------------------------------
Vendor
Paul Jova - http://manx.jovascript.comAffected Version
1.0.1Tested On
Microsoft Windows XP Professional SP3 (EN)Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vendor Status
[03.12.2011] Vendor releases patch (http://manx.jovascript.com/downloads.php).PoC
manx_dt.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://packetstormsecurity.org/files/107359[2] http://www.securityfocus.com/bid/50839
[3] http://osvdb.org/show/osvdb/77406
[4] http://osvdb.org/show/osvdb/77407
Changelog
[28.11.2011] - Initial release[29.11.2011] - Added reference [1] and [2]
[01.12.2011] - Added reference [3] and [4]
[03.12.2011] - Added vendor status
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
