cbcvebase.
CVE-2018-15535
published 2018-08-24

CVE-2018-15535: /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted…

PriorityP267high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
45.24%
98.6th percentile
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal.

Affected

1 ranges
VendorProductVersion rangeFixed in
tecrailresponsive_filemanager< 9.13.49.13.4

Detection & IOCsextracted from sources · hover to see the quote

url/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd
path/filemanager/ajax_calls.php
url/filemanager/ajax_calls.php?action=extract
filenameexploit.zip
bytes
UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1wL3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAAAAAAAAAAAAAAtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYAAAAAAQABAFQAAABSAAAAAAA=
  • Look for GET requests to /filemanager/ajax_calls.php with parameters action=get_file&sub_action=preview&preview_mode=text and a 'file' parameter containing directory traversal sequences (e.g., ../../../../etc/passwd)
  • Monitor POST requests to /filemanager/ajax_calls.php?action=extract with a body containing 'path=<archive_name>' — this triggers ZipSlip-style path traversal during archive extraction
  • Detect HTTP responses to the traversal request that match the pattern 'root:.*:0:0:' in the body, indicating successful /etc/passwd disclosure
  • Flag requests with X-Requested-With: XMLHttpRequest header targeting /filemanager/ajax_calls.php with traversal sequences ('..') in the 'file' query parameter
  • Inspect uploaded ZIP archives for entries containing '../../' path components (ZipSlip), which can write files outside the intended upload directory
  • ·The traversal exploit requires no authentication (PR:N) and is network-accessible, meaning any unauthenticated user can trigger it if the filemanager endpoint is exposed

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.