[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Acuity CMS 2.6.x <= Path Traversal Arbitrary File Access
- To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, secalert@xxxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, vuln <vuln@xxxxxxxxxxx>, vuln@xxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, moderators@xxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, submit@xxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Acuity CMS 2.6.x <= Path Traversal Arbitrary File Access
- From: YGN Ethical Hacker Group <lists@xxxxxxxx>
- Date: Sun, 20 May 2012 17:47:35 +0800
1. OVERVIEW
Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal.
2. BACKGROUND
Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.
3. VULNERABILITY DESCRIPTION
The issue is due to the script, /admin/file_manager/browse.asp, not
properly sanitizing user input, specifically directory traversal style
attacks (e.g., ../../) supplied via the 'path' parameter. It would
allow the attacker to access arbitrary files outside of web root
directory.
4. VERSIONS AFFECTED
Tested with version 2.6.2.
5. PROOF-OF-CONCEPT/EXPLOIT
http://localhost/admin/file_manager/browse.asp?field=&form=&path=../../
6. SOLUTION
The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.
7. VENDOR
The Collective
http://www.thecollective.com.au/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-05-20: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal
#yehg [2012-05-20]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/