Simogeo Filemanager Directory Traversal Vulnerability Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in Simogeo Filemanager versions through 2.0.0, allowing unauthenticated attackers to read arbitrary files on the server. This is achieved by manipulating the 'path' parameter in HTTP requests to the 'filemanager.php' endpoint. The vulnerability arises from insufficient input sanitization, particularly in versions 0.8 to 2.3.0. Exploitation can be done through various API modes, including 'preview', 'getfolder', 'getinfo', and 'download', depending on the specific Filemanager version. Versions 2.1.0 to 2.3.0 are only vulnerable in 'preview' mode.

Impact

Successful exploitation allows unauthorized users to read sensitive files on the server, such as configuration files and logs, which could lead to further attacks or privilege escalation.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'filemanager/connectors/php/filemanager.php' endpoint with a crafted 'path' parameter that includes directory traversal sequences. This can be done using a web browser, curl, or a similar tool. Depending on the Filemanager version and the API mode selected, this request can be used to read arbitrary files, list directory contents, or download files.

Remediation

Users are advised to upgrade to Simogeo Filemanager version 2.5.0 or later, as versions 2.4.0 and 2.5.0 have been patched. However, version 2.5.0 is deprecated, and users are recommended to switch to RichFileManager.