Menu

Search for hundreds of thousands of exploits

"cPassMan 1.82 - Arbitrary File Download"

Author

Exploit author

"Sense of Security"

Platform

Exploit platform

php

Release date

Exploit published date

2011-04-15

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Sense of Security - Security Advisory - SOS-11-004

Release Date.                  15-Apr-2011
Last Update.                   -
Vendor Notification Date.      7-Mar-2011
Product.                       Collaborative Passwords Manager (cPassMan)
Platform.                      Independent (PHP)
Affected versions.             1.82 (verified), and possibly others
Severity Rating.               Medium
Impact.                        Local file system access
Attack Vector.                 Remote without authentication
Solution Status.               Upgrade to v2.0, v1.x branch no longer 
updated
CVE reference.                 Not yet assigned

Details.
A vulnerability has been discovered in the Collaborative Passwords Manager
(cPassMan) web application that can be exploited to retrieve files from the
local host file system. The input passed to the component
"sources/downloadfile.php" via the "path" variable allows the retrieval of 
any
file on the local file system that the web server has access to. There is no
data validation or authorisation mechanisms present within this component.

Proof of Concept.
http://localhost/cpassman/sources/downloadfile.php?path=/etc/passwd

Solution.
The author (Nils Laumaille) has indicated that the v1.x branch of cPassMan
will no longer be updated, as he has rewritten the application and v2.0 is 
now
the recommended release.

Discovered by.
Kaan Kivilcim - Sense of Security Labs.

About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the country's largest
organisations.

Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-004.pdf

Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2013-11-12 "Juniper Junos J-Web - Privilege Escalation" webapps php "Sense of Security"
2013-04-08 "Google AD Sync Tool - Exposure of Sensitive Information" local multiple "Sense of Security"
2012-11-30 "SilverStripe CMS 3.0.2 - Multiple Vulnerabilities" webapps php "Sense of Security"
2012-09-05 "Ektron CMS 8.5.0 - Multiple Vulnerabilities" webapps asp "Sense of Security"
2012-08-27 "Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload" webapps asp "Sense of Security"
2012-06-18 "QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2012-03-07 "Iciniti Store - SQL Injection" webapps asp "Sense of Security"
2012-03-05 "Symfony2 - Local File Disclosure" webapps php "Sense of Security"
2012-02-23 "Snom IP Phone - Privilege Escalation" webapps hardware "Sense of Security"
2011-10-17 "WordPress Plugin BackWPUp 2.1.4 - Code Execution" webapps php "Sense of Security"
2011-09-20 "NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery" webapps hardware "Sense of Security"
2011-09-19 "Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2011-07-20 "Oracle Sun GlassFish Enterprise Server - Persistent Cross-Site Scripting" webapps jsp "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - iptm/eventmon Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/advancedfind.do?extn' Cross-Site Scripting" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/logicalTopo.do' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/ddv.do?deviceInstanceName' Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-20 "PHP Captcha / Securimage 2.0.2 - Authentication Bypass" webapps php "Sense of Security"
2011-05-18 "CiscoWorks Common Services 3.1.1 - Auditing Directory Traversal" webapps java "Sense of Security"
2011-05-18 "CiscoWorks Common Services Framework 3.1.1 Help Servlet - Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager 8.5 - Common Services Device Center Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager - Multiple Vulnerabilities" remote windows "Sense of Security"
2011-04-15 "cPassMan 1.82 - Arbitrary File Download" webapps php "Sense of Security"
2011-03-28 "WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution" webapps php "Sense of Security"
2010-12-20 "Elcom CommunityManager.NET - Authentication Bypass" webapps asp "Sense of Security"
2009-08-12 "Plume CMS 1.2.3 - Multiple SQL Injections" webapps php "Sense of Security"
2009-06-30 "XOOPS 2.3.3 - 'op' Multiple Cross-Site Scripting Vulnerabilities" webapps php "Sense of Security" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected