Signature Detail

HTTP: Responsive FileManager Zip Directory Traversal

A zip directory traversal vulnerability has been reported in Responsive FileManager. Successful exploitation could result in the creation or overwriting of files writable by the user running FileManager, leading to the possibility of arbitrary code execution.

Extended Description

/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal.

Affected Products

• Tecrail responsive_filemanager 9.10.0
• Tecrail responsive_filemanager .9.10.1
• Tecrail responsive_filemanager 9.10.1
• Tecrail responsive_filemanager 9.10.2
• Tecrail responsive_filemanager 9.11.0
• Tecrail responsive_filemanager 9.11.3
• Tecrail responsive_filemanager 9.12.0
• Tecrail responsive_filemanager 9.12.1
• Tecrail responsive_filemanager 9.12.2
• Tecrail responsive_filemanager 9.13.0
• Tecrail responsive_filemanager 9.13.1
• Tecrail responsive_filemanager 9.13.3
• Tecrail responsive_filemanager .9.14.0
• Tecrail responsive_filemanager 9.6.0
• Tecrail responsive_filemanager 9.7.2
• Tecrail responsive_filemanager 9.7.3
• Tecrail responsive_filemanager 9.8
• Tecrail responsive_filemanager 9.8.1
• Tecrail responsive_filemanager 9.9.0
• Tecrail responsive_filemanager 9.9.1
• Tecrail responsive_filemanager 9.9.2
• Tecrail responsive_filemanager 9.9.3
• Tecrail responsive_filemanager 9.9.4
• Tecrail responsive_filemanager 9.9.5
• Tecrail responsive_filemanager 9.9.6
• Tecrail responsive_filemanager 9.9.7

References

• CVE: CVE-2018-15536
• URL: https://www.responsivefilemanager.com/
• URL: https://seclists.org/fulldisclosure/2018/aug/34