Croogo CMS Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Croogo CMS version 4.0.7. This vulnerability allows authenticated remote attackers to read arbitrary files by exploiting the 'edit-file' parameter with a crafted path. The issue arises from insufficient validation of user input, enabling attackers to traverse directories and access files outside the web root, such as the sensitive '/etc/passwd' file.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including application configuration files or other critical system files.

Reproduction

To reproduce this vulnerability, log into the Croogo CMS application with valid credentials. Navigate to the file manager feature, which allows editing of files. Intercept a request to the 'edit-file' parameter using a tool like Burp Suite. Modify the request to include a path traversal sequence that points to a sensitive file, such as '/etc/passwd', and send the request. The response should include the contents of the requested file, demonstrating successful exploitation.

Remediation

To address this vulnerability, Croogo CMS should implement stricter input validation and sanitization to prevent path traversal attacks. Access controls should be applied to restrict unauthorized users from accessing sensitive files. Additionally, web server configurations should be reviewed to ensure that critical system files are not accessible through the web server.