← Advisories

Manx cms.xml 1.0.1 (simplexml_load_file()) Directory Traversal Vulnerability

Medium

Advisory ID

ZSL-2011-5060

Release Date

28 November 2011

Vendor

Paul Jova - http://manx.jovascript.com

Affected Version

1.0.1

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.21, MySQL 5.5.16, PHP 5.3.8

Summary

Manx is a Content Management System that uses xml text files to store the page contents, instead of a mysql database.

Description

Input passed via the 'fileName' parameter thru the simplexml_load_file() function is not properly verified in '/admin/admin_blocks.php' and '/admin/admin_pages.php' (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

/admin/admin_blocks.php
----------------
20: if ( isset($_REQUEST['fileName']) && ($_REQUEST['fileName'] !== '') && strstr($_REQUEST['fileName'], 'Dir') == false )
21: {
22:     $fileName = $_REQUEST['fileName'];
23: }
24: else $fileName = $new_file;

...
...

193: if ( ($fileName != '') && (file_exists($pathAdminToBlocks . $fileName)) )
194: {
195:    $simple_element = simplexml_load_file($pathAdminToBlocks . $fileName);

Proof of Concept

manx_dt.txtTXT

Disclosure Timeline

03.12.2011Vendor releases patch (http://manx.jovascript.com/downloads.php).

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/files/107359

[2]http://www.securityfocus.com/bid/50839

[3]http://osvdb.org/show/osvdb/77406

[4]http://osvdb.org/show/osvdb/77407

Changelog

28.11.2011Initial release

29.11.2011Added reference [1] and [2]

01.12.2011Added reference [3] and [4]

03.12.2011Added vendor status