Re: EasyWeb FileManager Directory Traversal

[Noam Rathaus <noamr () beyondsecurity com>]

On Saturday 24 July 2004 03:40, sullo () cirt net wrote:
> Product:
> EasyWeb FileManager Module - http://home.postnuke.ru/index.php
>
> Description:
> EasyWeb FileManager Module for PostNuke is vulnerable to a directory
> traversal problem which allows retrieval of arbitrary files from the remote
> system.
>
> Systems Affected:
> EasyWeb FileManager 1.0 RC-1
>
> Technical Description:
> The PostNuke module works by loading a directory and/or file via the
> "pathext" (directory) and "view" (file) variables. Providing a relative
> path (from the document repository) in the "pathext" variable will cause
> FileManager to provide a directory listing of that diretory. Selecting a
> file in that listing, or putting a file name in the "view" variable, will
> cause EasyWeb to load the file specified. Only files and directories which
> can be read by the system user running PHP can be retrieved.
>
> Assuming PostNuke is installed at the root level:
> /etc directory listing:
> /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../e
> tc
>
> /etc/passwd file:
> /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../e
> tc/&view=passwd
>
> Fix/Workaround:
> Use another file manager module for PostNuke, as the authors do not appear
> to be maintaining EW FileManager.
>
> Vendor Status:
> Vendor was contacted but did not respond.
>
> References:
> OSVDB-8193           http://www.osvdb.org/8193
> Original Advisory    http://www.cirt.net/advisories/ew_file_manager.shtml
>
>
>
>
> --
>
> http://www.cirt.net/   |   http://www.osvdb.org/
Hi,

Are you certain of your findings? You are stating that anyone can access 
through the EW FileManager module arbitrary files (that are world-readable)…

This doesn’t happen unless you have strictly configured your EW FileManager to 
work badly, as the PHP will return NOAUTH on any unauthorized user accessing 
the administrator interface, and specifically manager functionality.

The code that causes this can be found in pnadmin.php:
function ew_filemanager_admin_manager() {
...
...

  if(!pnSecAuthAction(0, 'ew_filemanager::', '::', ACCESS_EDIT)) {
    $output->Text(_NOAUTH);
    return $output->GetOutput();
  }

...

So you exploit won't work unless you are logged in to the EW FileManager. If 
this is true, then this greatly diminishes the validity of your 
vulnerability, as EW FileManager's purpose is:
( http://home.postnuke.ru/index.php?module=subjects&func=viewpage&pageid=3 )
Module designed to manage file and directories inside directory given by site 
admin.

So allowing someone you don't trust access to this PHP causes more danger than 
the simple fact that he can view files... he can upload new PHPs, that then 
can get executed, and provide a "complete" shell.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441