DesktopOnNet 3 Beta9 Local File Include Vulnerability

vendor:

DesktopOnNet

by:

cr4wl3r

9,8

CVSS

HIGH

Local File Include

CWE

Product Name: DesktopOnNet

Affected Version From: 3 Beta9

Affected Version To: 3 Beta9

Patch Exists: YES

Related CWE: N/A

CPE: a:don3:desktoponnet:3_beta9

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

DesktopOnNet 3 Beta9 Local File Include Vulnerability

DesktopOnNet 3 Beta9 is vulnerable to a Local File Include vulnerability. This vulnerability exists in the 'don3_toolbox.php' file, which is located in the 'DON3/applications/don3_toolbox.don3app/' directory. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing a malicious 'don3_lang' parameter. This will allow the attacker to include a malicious file from the server, resulting in remote code execution.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of DesktopOnNet 3 Beta9.

Source

Exploit-DB raw data:

[+] DesktopOnNet 3 Beta9 Local File Include Vulnerability
[+] Discovered By: cr4wl3r
[+] Download: http://sourceforge.net/projects/don3/files/
[x] Code in [DON3/applications/don3_toolbox.don3app/don3_toolbox.php]

require("appfiles/languages/$don3_lang.php"); <--- LFI
if (!file_exists('library/don3_toolbox.don3lib')){
don3_do_don3lib("DON3: ToolBox;window;M;", "don3_toolbox");
}
$item = $_GET["ac"];
$toolbox_path = $app_path;
if (array_key_exists($item, $don3_toolbox_overview_words)){
$currently = $don3_toolbox_overview_words[$item];
} else {
$currently = $don3_toolbox_overview_words["start"];
}

[+] PoC: [path]/applications/don3_toolbox.don3app/don3_toolbox.php?don3_lang=[LFI%00]