ContentKeeper Web Appliance Arbitrary File Access Vulnerability via CGI Endpoint

A vulnerability exists in ContentKeeper Web Appliance versions prior to 125.10, allowing unauthenticated attackers to access arbitrary files on the filesystem. This is achieved by exploiting the 'mimencode' binary, which is exposed through a CGI endpoint. Attackers can craft a POST request to the '/cgi-bin/ck/mimencode' endpoint, using traversal and output parameters to read sensitive files, such as '/etc/passwd', outside the webroot.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive files on the affected system. Additionally, according to the aushack.com advisory, this vulnerability could be combined with a remote command execution and privilege escalation vulnerability also present in versions through 125.09, leading to a full root compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/ck/mimencode' CGI endpoint. Include traversal and output parameters to access files outside the webroot, such as '/etc/passwd'. The response will contain the requested file, encoded in base64. This vulnerability can be exploited using a Metasploit module available in the Metasploit Framework.

Remediation

Users are advised to upgrade to ContentKeeper Web Appliance version 125.10 or above.