Path Traversal in microweber/microweber

Valid

Reported on

Mar 15th 2022


Description

A Path Traversal vulnerability exists in Language export function, which allows attacker upload files to an arbitrary location in the server. By adding the special characters on filename, it can lead to a Denial Of Service Attack.

Proof of Concept

[1.] Use the credential, access to the Language export function and click to the "export" button.

(https://demo.microweber.org/demo/admin/view:settings#option_group=language) alt LanguageFunction

[2.] By manipulating "namespace" or "locale" variables that reference files with “dot-dot-slash (../)” sequences, the attacker can store file in any locations on the server.

alt Payload

[3.] This vulnerability can lead to a Denial Of Services attack. On "Files Module" , It uses regular expression to remove the special characters of the uploaded files, However, by this attack, the attacker can upload the junk files whose name include special characters. "File module" could not be loaded in case of these files exist and we will receive the "500 Internal Server Error" for this response. alt Payload1 alt DoS alt DoS1

# Impact
This vulnerability can lead to a Denial of Service Attack, It allows attacker upload files to an arbitrary location in the server.
We are processing your report and will contact the microweber team within 24 hours. 2 months ago
Bozhidar Slaveykov modified the report
2 months ago
Bozhidar Slaveykov validated this vulnerability 2 months ago
thanhlocpanda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on 437a4b 2 months ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation