360 Web Manager 3.0 multiple defects and repair

# Exploit Title: Multiple vulnerabilities in 360 Web Manager 3.0

# Google Dork: "Powered by 360 Web Manager 3.0"

# Date: 15/04/2011

# Author: Ignacio Garrido

# Contact: Ign.sec@gmail.com

# Software Link: www.360webmanager.com

# Version: v3.0

# Tested on: Linux * 2.6.18 *

# Vulnerability description:

360 Web Manager 3.0 makes use of a panel manager which uses a simple file

Manager, this script dont require any authorization at all to upload, list,

Or even delete files.

We can find this panel at: http ://

Www.2cto.com/adm/barra/assetmanager/assetmanager.php.

By looking the source code we can find the internal path of the application

Right next to: "<input type =" hidden "name =" inpAssetBaseFolder0"

Id = "inpAssetBaseFolder0"

Value = ""

Trough a forged post we can manipulate the path of the folder to list or

Delete: inpFileToDelete = % 2 FfileToDelete % 2F & inpCurrFolder = % 2 FpathToList % 2F

Also when uploading a file we can easily change the path of the folder

Changing the "inpCurrFolder2" parameter (theres no restriction to upload

Php files !).

Possible solutions:

* Use the admin panel session to authenticate the use of the file manager.

* Forbid the upload of files with dangerous extensions such as. php,. php5,

Etc.

* Give the appropriate permissions to read files within its own file

Directory.