Gửi #177155: Boss Mini v1.4.0 - LFIthông tin

tiêu đềBoss Mini v1.4.0 - LFI
Mô tảVulnerability: Local File Inclusion (LFI) Regarding this flaw, the attacker could read any file from the server where the application is located. And also in some situations it can escalate to a Remote Code Execution (RCE) fault. Vulnerability Detail: URI: boss/servlet/document Parameter: path Need authentication: no Version: 1.4.0 Build: 6221 POC: https://drive.google.com/file/d/1RXmDUAjqZvWSvHUrfRerz7My6M3KX7YG/view Explaining the POC video: $ python3 poc_lfi_miniboss.py /proc/sys/kernel/osrelease -> The script simulates a POST request asking to read the file /proc/sys/kernel/osrelease; The test was carried out in the Boss Mini application, in version 1.4.0 and Build 6221; URI -> The URI that was used to read the file; Parameter -> path is the parameter that gives the possibility to obtain the return of the file reading; Content -> It is the result of the file reading request;
Người dùng nltt0 (UID 49917)
Đệ trình03/07/2023 19:04 (cách đây 3 những năm)
Kiểm duyệt12/07/2023 18:15 (9 days later)
Trạng tháiđược chấp nhận
Mục VulDB233889 [Boss Mini 1.4.0 Build 6221 boss/servlet/document path nâng cao đặc quyền]
điểm17

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!