Green CMS Path Traversal Vulnerability Allowing Arbitrary File Download

A path traversal vulnerability has been identified in Green CMS versions 2.x. This vulnerability allows authenticated attackers to download arbitrary files and directories by injecting directory traversal sequences. Exploitation can be achieved by manipulating the theme_name parameter in the themeexporthandle action or by supplying base64-encoded file paths to the downfile action, thereby retrieving sensitive files located outside the intended directories.

Impact

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files and directories on the server.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'index.php' file with the 'themeexporthandle' action. The 'theme_name' parameter can be manipulated to include directory traversal sequences, such as '../../../', to access files outside the application's root directory. Alternatively, base64-encoded file paths can be sent through the 'downfile' action to download specific files.