Sensitive system information disclosure in lirantal/daloradius

Valid

Reported on

Dec 7th 2022


Description

An unauthenticated user can gather information on the remote system just by visiting the following endpoints:

  • /library/exten-radius_server_info.php (which reveals pieces of information such as system uptime, CPU load, etc.)
  • /library/exten-server_info.php (which reveals if mysql and/or freeradius are currently running)

Proof of Concept

$ curl http://<hostname>/library/exten-server_info.php
<h3>General Information</h3>
<table class='summarySection'>
  <tr>
    <td class='summaryKey'> Uptime </td>
    <td class='summaryValue'><span class='sleft'>69  days 2  hours 24  minutes </span> </td>
  </tr>
  <tr>
    <td class='summaryKey'> System Load </td>
    <td class='summaryValue'><span class='sleft'>0.14 0.14 0.10<br/>Tasks:  29 total,   1 running,  28 sleeping,   0 stopped,   0 zombie<br/>%Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st</span> </td>
  </tr>
...

Impact

This vulnerability makes easier for an attacker to gather information on the system hosting an instance of the vulnerable web application.

Fix

The issues have been corrected in the master branch. In particular, at the very beginning of each vulnerable file - exten-server_info.php and exten-radius_server_info.php - the following lines of code implement an authorization check:

...
$extension_file = '/library/exten-server_info.php';
if (strpos($_SERVER['PHP_SELF'], $extension_file) !== false) {
    header("Location: ../index.php");
    exit;
}
...
We are processing your report and will contact the lirantal/daloradius team within 24 hours. a month ago
We have contacted a member of the lirantal/daloradius team and are waiting to hear back a month ago
Liran Tal gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
lirantal/daloradius maintainer has acknowledged this report a month ago
Liran Tal validated this vulnerability a month ago
Filippo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Liran Tal marked this as fixed in master branch with commit 3d11f3 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Liran Tal published this vulnerability a month ago
to join this conversation