Path Traversal in microweber/microweber

Valid

Reported on

Mar 15th 2022

Description

A Path Traversal vulnerability exists in Language export function, which allows attacker upload files to an arbitrary location in the server. By adding the special characters on filename, it can lead to a Denial Of Service Attack.

Proof of Concept

[1.] Use the credential, access to the Language export function and click to the "export" button.

(https://demo.microweber.org/demo/admin/view:settings#option_group=language) alt LanguageFunction

[2.] By manipulating "namespace" or "locale" variables that reference files with “dot-dot-slash (../)” sequences, the attacker can store file in any locations on the server.

alt Payload

[3.] This vulnerability can lead to a Denial Of Services attack. On "Files Module" , It uses regular expression to remove the special characters of the uploaded files, However, by this attack, the attacker can upload the junk files whose name include special characters. "File module" could not be loaded in case of these files exist and we will receive the "500 Internal Server Error" for this response. alt Payload1 alt DoS alt DoS1

# Impact
This vulnerability can lead to a Denial of Service Attack, It allows attacker upload files to an arbitrary location in the server.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago

Bozhidar Slaveykov modified the report

2 years ago

Bozhidar Slaveykov validated this vulnerability 2 years ago

thanhlocpanda has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bozhidar Slaveykov marked this as fixed in 1.2.11 with commit 437a4b 2 years ago

Bozhidar Slaveykov has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation