exploit the possibilities

openSIS 7.4 Local File Inclusion

openSIS 7.4 Local File Inclusion
Posted Jun 30, 2020
Authored by EgiX | Site karmainsecurity.com

openSIS versions 7.4 and below suffer from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
advisories | CVE-2020-13383
MD5 | 34773fe08298e4f70971b2ca475bfba4

openSIS 7.4 Local File Inclusion

Change Mirror Download
--------------------------------------------------------------
openSIS <= 7.4 (Bottom.php) Local File Inclusion Vulnerability
--------------------------------------------------------------


[-] Software Link:

https://opensis.com/


[-] Affected Versions:

Version 7.4 and prior versions.


[-] Vulnerability Description:

The vulnerable code is located in the /Bottom.php script:

36. if(clean_param($_REQUEST['modfunc'],PARAM_ALPHA)=='print')
37. {
38. $_REQUEST = $_SESSION['_REQUEST_vars'];
39. $_REQUEST['_openSIS_PDF'] = true;
40. if(strpos($_REQUEST['modname'],'?')!==false)
41. $modname =
substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
42. else
43. $modname = $_REQUEST['modname'];
44. ob_start();
45. include('modules/'.$modname);

User input passed through the "modname" request parameter is not
properly sanitized before being
used in a call to the "include()" function at line 45. This can be
exploited to include arbitrary
local files and potentially access otherwise restricted functionalities
or execute arbitrary PHP
code with the permissions of the webserver.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[04/11/2019] - Vendor notified
[04/11/2019] - Vendor acknowledgement
[10/01/2020] - Vendor contacted again asking for updates
[16/01/2020] - Vendor tried to fix the vulnerability by using
"mysqli_real_escape_string()"
[06/02/2020] - Vendor was informed about the inappropriate fix
[25/04/2020] - Version 7.4 released, vulnerability still incorrectly
fixed
[22/05/2020] - CVE number assigned
[30/06/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-13383 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-07


Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    22 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close