Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-25359: Pwning rConfig part I · Stark0de Sanctuary

An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability gave attackers the ability to send a crafted request to /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php by specifying a path in the path parameter and an extension in the ext parameter and delete all the files with that extension in that path.

CVE
#xss#vulnerability#mac#git#php#ssrf

Pwning rConfig: part one

Hi everyone. I’ve been quite busy lately, but some weeks ago I decided to review the security of a software called rConfig version 3.9.5 (www.rconfig.com) which is a Network Monitoring tool and I found several vulnerabilities. So let’s take a look at them ;)

LFI 1

Local file disclosure in /lib/crud/configcompare.crud.php, when comparing the parameter path_a to path_b, the file specified in path_a is disclosed if both files are completely different. Here we can see the contents of /etc/passwd

Arbitrary file deletion

Arbitrary file deletion in /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php. You can delete any file with an extension by specifying the file with the path parameter and the extension with the ext extension

Server-Side Request Forgery

Server-Side Request Forgery in /lib/ajaxHandlers/ajaxDeviceStatus.php, you can open a connection to the inside of the machine with the deviceIpAddr parameter and the connPort parameter.

OPEN PORT:

Error:

XSS

Cross-Site Scripting in /devices.php > Add device, introduce a payload such as <svg onload=alert(1)> in the Model field and clicking Save (it’s needed to fill the rest of fields with info). Then visiting /devicemgmt.php?deviceId=1&device=devicename

XSS 2

Cross-Site Scripting in /commands.php > Add command, introduce a payload such as <svg onload=alert(1)> in the Command field and click Save.

XSS 3

Cross-Site Scripting in /snippets.php > Add snippet, introduce a payload such as <svg onload=alert(1)> in the Snippet field and click Save(fill the rest of fields first).

Privilege escalation 1

Using sudo zip:

Privilege escalation 2

By doing sudo crontab -e and then :!/bin/bash

Arbitrary file read:

Following this we can read any privileged file: https://gtfobins.github.io/gtfobins/tail/

So those are some of the vulns I found during the research, hope you enjoyed the article. Back with the second part soon :)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907