<<< Date Index >>>     <<< Thread Index >>>

Terracotta Personal Edition Multiple vulnerabilities



Its been awhile since I've posted something, so lets get to the goods.

Terracotta is a an open source CMS from 
http://sourceforge.net/projects/terracotta/

First up, we have Full path disclosure vulnerabilities in the GET'd variable 
'File'. Specify something other than whats in the list and we get full paths 
and other useful information. 

Next we have some nice LFI. 

To LFI this code, we try the following:

www.example.com/index.php?CurrentDirectory=FOLDER_420c142a1bebd1.90885049/../../../../../../../../../etc/&StartAt=12

The GET'd variable Current directory fails to check for other invalid input 
allowing us to specifiy folders outside the normal program's environment. 
though we can only specify folders, it will display them for us as if it were 
part of its normal viewing procedures. 

To add insult to injury, there is another parameter present for download 
processing that we can manipulate to specify which file we want. 
www.example.com/index.php?CurrentDirectory=FOLDER_420c142a1bebd1.90885049/../../whatever/&StartAt=12&File=whateverwewant.txt

This used in conjunction with our full path disclosures allow for some 
directory and file probing as well as a peek at server side code.

No patch yet. Happy hunting!