exploit the possibilities

openSIS 7.4 Local File Inclusion

openSIS 7.4 Local File Inclusion
Posted Jun 30, 2020
Authored by EgiX | Site karmainsecurity.com

openSIS versions 7.4 and below suffer from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
advisories | CVE-2020-13383
MD5 | 34773fe08298e4f70971b2ca475bfba4

openSIS 7.4 Local File Inclusion

Change Mirror Download
--------------------------------------------------------------
openSIS <= 7.4 (Bottom.php) Local File Inclusion Vulnerability
--------------------------------------------------------------


[-] Software Link:

https://opensis.com/


[-] Affected Versions:

Version 7.4 and prior versions.


[-] Vulnerability Description:

The vulnerable code is located in the /Bottom.php script:

36. if(clean_param($_REQUEST['modfunc'],PARAM_ALPHA)=='print')
37. {
38. $_REQUEST = $_SESSION['_REQUEST_vars'];
39. $_REQUEST['_openSIS_PDF'] = true;
40. if(strpos($_REQUEST['modname'],'?')!==false)
41. $modname =
substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
42. else
43. $modname = $_REQUEST['modname'];
44. ob_start();
45. include('modules/'.$modname);

User input passed through the "modname" request parameter is not
properly sanitized before being
used in a call to the "include()" function at line 45. This can be
exploited to include arbitrary
local files and potentially access otherwise restricted functionalities
or execute arbitrary PHP
code with the permissions of the webserver.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[04/11/2019] - Vendor notified
[04/11/2019] - Vendor acknowledgement
[10/01/2020] - Vendor contacted again asking for updates
[16/01/2020] - Vendor tried to fix the vulnerability by using
"mysqli_real_escape_string()"
[06/02/2020] - Vendor was informed about the inappropriate fix
[25/04/2020] - Version 7.4 released, vulnerability still incorrectly
fixed
[22/05/2020] - CVE number assigned
[30/06/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-13383 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-07


Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close