Nova CMS Directory Travel

vendor:

Nova CMS

by:

Red Security TEAM

8,8

CVSS

HIGH

Directory Traversal

CWE

Product Name: Nova CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: CentOS

2012

Nova CMS is vulnerable to a directory traversal attack. An attacker can register on the forum and click on the “New Topic” tab. In the editor, the attacker can click on the “Attach File” option and start the Live HTTP headers. The attacker can then add a new allowed file and find the dir=uploads%2Fforum%2Fdata-YourUsername2F&options=true&ajax=true and click on Reply on Live HTTP headers. The attacker can then change the directory to dir=uploads%2F and dir=uploads%2Fbackup%2F. The attacker can then view all the directories in the uploads directory, including other users’ files and uploads/backup/.

Mitigation:

Ensure that the application is not vulnerable to directory traversal attacks by validating user input and restricting access to sensitive files and directories.

Source

Exploit-DB raw data:

# 
# Title     : Nova CMS Directory Travel
# Author    : Red Security TEAM
# Date      : 21/01/2012
# Download  : http://www.nova-cms.com/uploads/files/novacms.zip
# Tested On : CentOS
# Dork      : Copyright ©2005-2011 by Nova CMS.
# Contact   : Info [ 4t ] RedSecurity [ d0t ] COM
# Home      : http://RedSecurity.COM
#
# Exploit   :
# 
# 1. Register
# 2. Go to forum and click on "NEW TOPIC"
# 3. In the above tab in editor click on last picture "Attach File"
# 4. Start Live HTTP headers
# 5. Add a new allowed file
# 6. Find dir=uploads%2Fforum%2Fdata-YourUsername2F&options=true&ajax=true and click on Reply on Live HTTP headers
# 7. Change to dir=uploads%2F , dir=uploads%2Fbackup%2F
# 8. You can't back to directory before uploads directory but you can see all directory in uploads example another users files and uploads/backup/ ;):D
#