Microweber CMS Local File Inclusion Vulnerability in Backup Management API

A local file inclusion vulnerability has been identified in Microweber CMS versions through 1.2.11. This vulnerability arises from inadequate validation of user-supplied file paths in the backup management API. Authenticated users can exploit the /api/BackupV2/upload endpoint to upload files by specifying absolute file paths. Depending on the user's privileges, this action may overwrite or delete the original file. The /api/BackupV2/download endpoint can then be used to access the uploaded file, leading to unauthorized disclosure of local files.

Impact

Exploitation of this vulnerability allows authenticated users to read arbitrary files from the server's filesystem, potentially disclosing sensitive information. Additionally, the upload functionality can be misused to overwrite or delete files, including those crucial for the web application's operation, which could disrupt the application's response to HTTP requests.

Reproduction

To reproduce this vulnerability, an authenticated user can first upload a file by sending a request to the /api/BackupV2/upload endpoint with an absolute file path in the src parameter. After the file is uploaded, it can be downloaded using the /api/BackupV2/download endpoint by specifying the filename.

Remediation

Users can update to Microweber CMS version 2.0.20 or later, where this vulnerability has been fixed.