# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal # Google Dork: N/A # Date: November 17th, 2021 # Exploit Author: Stefan Hesselman # Vendor Homepage: http://phphtmledit.com/ # Software Link: http://phphtmledit.com/download/phphtmledit.zip # Version: 6.6 # Tested on: Windows Server 2019 # CVE : N/A There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root. File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121 Vulnerable code: [SNIP] function ServerMapPath($input_path,$absolute_path,$virtual_path) { if($absolute_path!="") { return $absolute_path.str_ireplace($virtual_path,"",$input_path); } else { if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN')) { if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF']))); } if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF']))); } return $_SERVER["DOCUMENT_ROOT"].$input_path; } else { return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path; } } } [SNIP] ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file. File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56 Vulnerable function (renamefile, line 57): [SNIP] switch ($action) { [SNIP] case "renamefile": rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath)); print ""; break; [SNIP] $input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes: C:\Inetpub\wwwroot\..\..\..\poc.html Final result: writes poc.html to the webroot. STEPS: 1. Create a poc.html file (XSS PoC will do).