HackDig : Dig high-quality web security articles for hacker

OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit

2017-05-30 17:40
Title: OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit
Advisory ID: ZSL-2017-5410
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 30.05.2017
Summary
With the decision to use the OV3 as a platform for your data management,the course is set for scalable, flexible and high-performance applications. Whetheryou use the OV3 for your internal data management or use it for commercial businessapplications such as shops, portals, etc. Thanks to the data-based structure of theOV3, you always have the best tool at your fingertips. The OV3 is a 100% web-basedtool. This eliminates the need to install a new software on all participating clientcomputers. All elements are operated by a standard browser. Further advantages arethe location-dependent use and - particularly with ASP solutions - the reduced costsfor local hardware like own servers and modern client workstations.
Description
The application (Online Verwaltung III) suffers from an unauthenticated filedisclosure vulnerability when input passed thru the 'file' parameter to 'download.php'script is not properly verified before being used to include files. This can be exploitedto read arbitrary files from local resources with directory traversal attacks.

--------------------------------------------------------------------------------

/download.php
------------------------

67: header("Expires: Mon, 1 Apr 1990 00:00:00 GMT");
68: header("Last-Modified: " . gmdate("D,d M YH:i:s") . " GMT");
69: /*
70: header("Cache-Control: no-cache, must-revalidate");
71: header("Pragma: no-cache");
72: */
73: header("Pragma: ");
74: header("Cache-Control: ");
75: header("Content-type: application/octet-stream");
76: header("Content-Type: application/force-download");
77: $dname = rawurlencode($name);
78: header("Content-Disposition: attachment; filename="$dname";");
79:
80: if ($export==1) {
81: if (is_file($path.'/'.$file)) {
82: header('Content-Length: '.filesize($path.'/'.$file));
83: readfile($path.'/'.$file);
84: } elseif (is_file(utf8_decode($path.'/'.$file))) {
85: header('Content-Length: '.filesize(utf8_decode($path.'/'.$file)));
86: readfile(utf8_decode($path.'/'.$file));
87: }
88: }

--------------------------------------------------------------------------------

Vendor
novaCapta Software & Consulting GmbH - http://www.meacon.de
Affected Version
3.0
Tested On
CentOS release 6.8 (Final)
PHP/5.3.3
Apache/2.2.15
MySQL/5.0.11
Vendor Status
[14.11.2016] Vendor contacted.
[26.12.2016] Vulnerability discovered.
[29.05.2017] No response from the vendor.
[30.05.2017] Public security advisory released.
PoC
ov3_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
N/A
Changelog
[30.05.2017] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk


Source: php.0145-7102-LSZ/seitilibarenluv/ne/km.ecneicsorez.www

Read:1553 | Comments:0 | Tags: exploit

“OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud