Description
Template viewer on http://[server name]/[base path]/modules/system/admin.php?fct=tplsets allows malicious user to read restricted files outside of the web server’s root directory such as /etc/passwd/.
This viewer is restricted to admin but must return permission error when users try to access restricted files and directories.
Screenshot
If i have to describe how to reproduce this issue, please let me know.
geekwright
commented
7 years ago
Description Template viewer on
http://[server name]/[base path]/modules/system/admin.php?fct=tplsetsallows malicious user to read restricted files outside of the web server’s root directory such as/etc/passwd/. This viewer is restricted to admin but must return permission error when users try to access restricted files and directories.Screenshot
If i have to describe how to reproduce this issue, please let me know.