← Advisories

iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability

Medium
Advisory ID
ZSL-2011-5043
Release Date
16 September 2011
Vendor
net4visions.com - http://www.net4visions.com
Affected Version
<= 1.2.8 Build 02012008
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

With iManager you can manage your files/images on your webserver, and it provides user interface to most of the phpThumb() functions. It works either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor.

Description

Input passed to the 'd' parameter in /scripts/phpCrop/crop.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the 'd' parameter.

/scripts/phpCrop/crop.php ---------------- 32: if( isset($_REQUEST['s']) ) { 33: //delete previous temp files 34: $matches = glob($d . '{*.jpg,*.JPG}', GLOB_BRACE); 35: if ( is_array ( $matches ) ) { 36: foreach ( $matches as $fn) { 37: @unlink($fn); 38: } 39: }
Proof of Concept
imanager_del.txtTXT
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.securityfocus.com/bid/49662
[2]http://www.exploit-db.com/exploits/17852/
[3]http://packetstormsecurity.org/files/105193
[4]http://secunia.com/advisories/46063/
[5]http://www.securelist.com/en/advisories/46063
[6]http://www.net-security.org/secworld.php?id=11649
[7]http://1337day.com/exploits/16930
[8]http://securityreason.com/wlb_show/WLB-2011090090
[9]http://xforce.iss.net/xforce/xfdb/69919
[10]http://osvdb.org/show/osvdb/75602
Changelog
16.09.2011Initial release
17.09.2011Added reference [1] and [2]
18.09.2011Added reference [3]
19.09.2011Added reference [4]
20.09.2011Added reference [5], [6], [7] and [8]
22.09.2011Added reference [9] and [10]