62962d90b0
16 new exploits Linux Kernel < 2.6.34 (Ubuntu 11.10 x86 & x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2) Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2) Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit) Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit) Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities Dream Gallery 1.0 - CSRF Add Admin Exploit Apache Continuum 1.4.2 - Multiple Vulnerabilities Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit Valve Steam 3.42.16.13 - Local Privilege Escalation ArticleSetup 1.00 - CSRF Change Admin Password Electroweb Online Examination System 1.0 - SQL Injection WordPress WP Mobile Detector Plugin 3.5 - Arbitrary File Upload WordPress Creative Multi-Purpose Theme 9.1.3 - Stored XSS WordPress WP PRO Advertising System Plugin 4.6.18 - SQL Injection WordPress Newspaper Theme 6.7.1 - Privilege Escalation WordPress Uncode Theme 1.3.1 - Arbitrary File Upload WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection Notilus Travel Solution Software 2012 R3 - SQL Injection rConfig 3.1.1 - Local File Inclusion Nagios XI 5.2.7 - Multiple Vulnerabilities
39 lines
No EOL
1.5 KiB
Text
Executable file
39 lines
No EOL
1.5 KiB
Text
Executable file
Title
|
|
===================
|
|
rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion
|
|
|
|
Summary
|
|
===================
|
|
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server.
|
|
|
|
Affected Products
|
|
===================
|
|
rConfig 3.1.1 and earlier
|
|
|
|
CVE
|
|
===================
|
|
N/A
|
|
|
|
Details
|
|
===================
|
|
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server. This is because downloadFile.php does not check the download_file parameter before it uses it. It merely opens and sends the file in the parameter to the user. As long as the account running the web server has access to it, rConfig will open it and send it.
|
|
|
|
Verification of Vulnerability
|
|
===================
|
|
The following steps can be carried out in duplicating this vulnerability.
|
|
|
|
Step 1:
|
|
Enter the following into your browser address bar:
|
|
|
|
http://<SERVER>/lib/crud/downloadFile.php?download_file=/etc/passwd
|
|
|
|
Step 2:
|
|
Confirm that the passwd file is valid
|
|
|
|
Impact
|
|
===================
|
|
Information Disclosure. User privileges and unauthorized access to the system.
|
|
|
|
Credits
|
|
===================
|
|
Gregory Pickett (@shogun7273), Hellfire Security |