Headline
CVE-2022-27983: Ruijie-NBR Any file read vulnerability – Adminxe's Blog
RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php.
**0x00 **Affected component(s)****
Affected: RG-NBR-E Enterprise Gateway RG-NBR2100G-E Affected source code file:/check.php
**0x01 Vendor of the product(s) and **vulnerability type****
https://www.ruijie.com.cn/
Any file read vulnerability
**0x02 **Attack vector(s)****
Vulnerability file path ‘check.php’ ,
the ‘url’ parameter passed in is not strictly filtered.
It is directly brought into the function ‘indexAction’ — > file_get_contents($url),
resulting in an Any file read vulnerability,
which can read any file on the server.
0x03 Suggest
An issue was discovered in RG-NBR-E Enterprise Gateway RG-NBR2100G-E.
There is an Any file read vulnerability that can read any file on the server.
**0x04 **Source code analysis****
path:
/check.php
function deleteFile($fileName)
{
$cmd = "rm -fr $fileName";
public function indexAction() {
$root = "/tmp/html/";
$name = $_GET["url"];
$url = $root.$name;
if($name == FALSE){
header("Location: /index.htm");
exit();
}
if (file_exists($url)) {
$fileContent = file_get_contents($url);
echo $fileContent;
} else if (file_exists($url.".gz")) {
header("Content-Encoding: gzip");
$fileContent = file_get_contents($url.".gz");
echo $fileContent;
} else {
echo "404 Resource Not Found";
}
}
Vulnerability file path ‘check.php’ ,
the ‘url’ parameter passed in is not strictly filtered.
It is directly brought into the function ‘indexAction’ — > file_get_contents($url),
resulting in an Arbitrary file read vulnerability,
which can read any file on the server.
Arbitrary file read vulnerability :
payload:
Read init.php PHP file:
http://127.0.0.1:80/check.php?url=init.php
转载请注明:Adminxe’s Blog » Ruijie-NBR Any file read vulnerability