vendor:
Files Desk Pro & Lite
by:
Vulnerability Laboratory Research Team
6,7
CVSS
HIGH
Local File Include Web Vulnerability
434
CWE
Product Name: Files Desk Pro & Lite
Affected Version From: 1.4
Affected Version To: 1.4
Patch Exists: YES
Related CWE: N/A
CPE: a:livebird_technologies_private_limited:files_desk_pro_&_lite:1.4
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: iOS
2014
Files Desk Pro v1.4 iOS – File Include Web Vulnerability
A local file include web vulnerability has been discovered in the official Files Desk Pro v1.4 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `upload` POST method request.
Mitigation:
The vulnerability can be patched by a secure parse and encode of the vulnerable filename value. Restrict the file uploads to the `.pdf` file type and secure the upload module with a secure file upload check.
