Date: Sun, 20 May 2012 17:47:35 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com, bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, moderators@...db.org, submissions@...ketstormsecurity.org, submit@...ecurity.com, oss-security@...ts.openwall.com Subject: Acuity CMS 2.6.x <= Path Traversal Arbitrary File Access 1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION The issue is due to the script, /admin/file_manager/browse.asp, not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'path' parameter. It would allow the attacker to access arbitrary files outside of web root directory. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/admin/file_manager/browse.asp?field=&form=&path=../../ 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal #yehg [2012-05-20]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.