Insecure Permissions Vulnerability

monstra-cms / monstra

THIS PROJECT IS NOT SUPPORTED ANYMORE! Check FLEXTYPE.ORG

http://flextype.org

MIT License

396 stars 123 forks source link

Insecure Permissions Vulnerability #434

Open sunu11 opened 6 years ago

sunu11 commented 6 years ago

Hi @Awilum, I would like to report some security vulnerabilities that I found in MonstraCMS, can you guide me how to disclose them. Should I create a new issue or should I email the details?

sunu11 commented 6 years ago

I reported to the cve platform, they let me use CVE-2018-9038, you can contact them for details

sunu11 commented 6 years ago

Vulnerability description Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.

Vulnerability Type Insecure Permissions

Expected Behavior deleted uploads folder

Steps to Reproduce 1、Log in as a user with page editing permissions 2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads

Possible Solutions Strictly filter the deletedir parameter and replace './' with '/'

ClarusAD commented 4 years ago

idem here, but the issue appears at first step when installing :-(