# Exploit Title: Multiple vulnerabilities in 360 Web Manager 3.0# Google Dork: "Powered by 360 Web Manager 3.0"# Date: 15/04/2011# Author: Ignacio Garrido# Contact: Ign.sec@gmail.com# Software Link: www.360webmanager.com# Version: v3.0# Tested on: Linux *2.6.18*#Vulnerability description:360 Web Manager 3.0 makes use of a panel manager which uses a simple file
manager, this script don't require any authorization at all to upload,list,or even delete files.
We can find this panel at: http://[site]/adm/barra/assetmanager/assetmanager.php.
By looking the source code we can find the internal path of the application
right next to:"<input type="hidden" name="inpAssetBaseFolder0"
id="inpAssetBaseFolder0"
value=""
Trough a forged post we can manipulate the path of the folder to listor
delete: inpFileToDelete=%2FfileToDelete%2F&inpCurrFolder=%2FpathToList%2F
Also when uploading a file we can easily change the path of the folder by
changing the "inpCurrFolder2" parameter (there's no restriction to upload
php files!).
Possible solutions:*Use the admin panel session to authenticate the use of the file manager.*Forbid the upload of files with dangerous extensions such as.php,.php5,
etc.*Give the appropriate permissions to read files within its own file
directory.
