CVE-2021-44351

Vulnerability

An arbitrary file read vulnerability exists in NavigateCMS 2.9 via the id parameter in /navigate/navigate_download.php. The application attempts to filter path traversal sequences by removing ../ from the input, but this filter can be bypassed using the payload ....//, which after removal of ../ results in ../. This allows an attacker to read arbitrary files on the server [1].

Exploitation

An attacker must first authenticate to obtain a valid session ID (sid) from cookies. With the sid, they can craft a request to /navigate/navigate_download.php with the sid and id parameters. The id parameter is set to a path traversal payload such as ....//....//....//....//etc/passwd to read system files, or ....//cfg/globals.php to read configuration files containing sensitive information like database credentials [1].

Impact

Successful exploitation allows an authenticated attacker to read arbitrary files on the server, including sensitive configuration files that may contain database usernames and passwords, leading to potential further compromise of the application and underlying system [1].

Mitigation

As of the reference, no official patch has been released for NavigateCMS 2.9. Users should consider upgrading to a newer version if available, or implement input validation to properly sanitize the id parameter. Suggested workarounds include using a whitelist of allowed files or replacing ../ with a non-empty string (e.g., "hacker") instead of an empty string to prevent bypass [1].