Uncaught Exception in microweber/microweber

Valid

Reported on

Feb 19th 2022

Description

The application is not able to handle errors, leading to expose of internal files paths.

Vulnerable POC Url: https://demo.microweber.org/demo/api/save_edit Vulnerable Endpoint: demo/api/save_edit Vulnerable Parameter: data_base64= Request Method: POST

Proof of Concept

  1. Send a POST request to https://demo.microweber.org/demo/api/save_edit
  2. Set parameter data_base64= value to:

"eyJmaWVsZF9kYXRhXzAiOnsiYXR0cmlidXRlcyI6eyJjbGFzcyI6ImVkaXQgbWFpbi1jb250ZW50IiwicmVsIjoiY29udGVudCIsImZpZWxkIjoiY29udGVudCJ9LCJodG1sIjoiXG4gICAgPGRpdiBjbGFzcz1cIm1vZHVsZSBtb2R1bGUtbGF5b3V0c1wiIGlkPVwibW9kdWxlLWxheW91dHMtMjVcIiBkYXRhLW13LXRpdGxlPVwiTGF5b3V0c1wiIHRlbXBsYXRlPVwic2tpbi0xXCIgZGF0YS10eXBlPVwibGF5b3V0c1wiIHBhcmVudC1tb2R1bGU9XCJsYXlvdXRzXCIgcGFyZW50LW1vZHVsZS1pZD1cIm1vZHVsZS1sYXlvdXRzLTI1XCI%2BXG5cbjxzZWN0aW9uIGNsYXNzPVwic2VjdGlvbiBwLXQtMTAwIHAtYi0xMDAgbm9kcm9wIGNsZWFuLWNvbnRhaW5lciBlZGl0IGNoYW5nZWRcIiBmaWVsZD1cImxheW91dC1za2luLTEtbW9kdWxlLWxheW91dHMtMjVcIiByZWw9XCJtb2R1bGVcIj5cbiAgICA8ZGl2IGNsYXNzPVwiY29udGFpbmVyXCI%2BXG4gICAgICAgIDxkaXYgY2xhc3M9XCJyb3dcIj5cbiAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJjb2wtMTIgY29sLW1kLTEyIGFsbG93LWRyb3AgZWxlbWVudFwiIGlkPVwiZWxlbWVudF8xNjQ1MjcyMDM1NjA2XCI%2BXG4gICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LXJvd1wiIHN0eWxlPVwiaGVpZ2h0OiBhdXRvO1wiIGlkPVwiZWxlbWVudF9yb3dfMTY0NTI3MjAzNTU2MFwiPlxuICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctY29sXCIgc3R5bGU9XCJ3aWR0aDogMTAwJTsgaGVpZ2h0OiBhdXRvO1wiPlxuICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LWNvbC1jb250YWluZXIgZWxlbWVudFwiPlxuICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJtdy1lbXB0eS1lbGVtZW50IGVsZW1lbnRcIiBpZD1cImVsZW1lbnRfMTY0NTI3MjAzNTYwOFwiPjxicj48L2Rpdj5cbiAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICAgICAgICAgICAgICA8L2Rpdj5cbiAgICAgICAgICAgICAgICA8L2Rpdj5cbiAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICA8L2Rpdj5cbiAgICA8L2Rpdj5cbjwvc2VjdGlvbj5cbjwvZGl2PlxuIn0sImZpZWxkX2RhdGFfMSI6eyJhdHRyaWJ1dGVzIjp7ImNsYXNzIjoic2VjdGlvbiBwLXQtMTAwIHAtYi0xMDAgbm9kcm9wIGNsZWFuLWNvbnRhaW5lciBlZGl0IiwiZmllbGQiOiJsYXlvdXQtc2tpbi0xLW1vZHVsZS1sYXlvdXRzLTI1IiwicmVsIjoibW9kdWxlIn0sImh0bWwiOiJcbiAgICA8ZGl2IGNsYXNzPVwiY29udGFpbmVyXCI%2BXG4gICAgICAgIDxkaXYgY2xhc3M9XCJyb3dcIj5cbiAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJjb2wtMTIgY29sLW1kLTEyIGFsbG93LWRyb3AgZWxlbWVudFwiIGlkPVwiZWxlbWVudF8xNjQ1MjcyMDM1NjA2XCI%2BXG4gICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LXJvd1wiIHN0eWxlPVwiaGVpZ2h0OiBhdXRvO1wiIGlkPVwiZWxlbWVudF9yb3dfMTY0NTI3MjAzNTU2MFwiPlxuICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctY29sXCIgc3R5bGU9XCJ3aWR0aDogMTAwJTsgaGVpZ2h0OiBhdXRvO1wiPlxuICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LWNvbC1jb250YWluZXIgZWxlbWVudFwiPlxuICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJtdy1lbXB0eS1lbGVtZW50IGVsZW1lbnRcIiBpZD1cImVsZW1lbnRfMTY0NTI3MjAzNTYwOFwiPjxicj48L2Rpdj5cbiAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICAgICAgICAgICAgICA8L2Rpdj5cbiAgICAgICAgICAgICAgICA8L2Rpdj5cbiAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICA8L2Rpdj5cbiAgICA8L2Rpdj5cbiJ9LCJpc19kcmFmdCI6dHJ1ZX0%3D"

(without double quotes),

  1. It will return a 200 OK response,
  2. Now remove data_base64= parameter's value, and add any random base64 encoded string, for example: "YW55dGhpbmdyYW5kb20="

(without double quotes)

  1. Or just send this:

data_base64=YW55dGhpbmdyYW5kb20=

  1. Now the server will return a: 500 Internal Server Error, response Exposing Internal files paths in error response body.

Impact

This vulnerability leads to information disclosure of internal files paths.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Peter Ivanov validated this vulnerability a year ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit fa427b a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation