Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41547: [Security] Fix Local File Inclusion Vulnerability in ViewSource Function. Version <= v0.9.2 by thongngo · Pull Request #166 · MobSF/Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.

CVE
Open in Source
#vulnerability#android#mac#java

Hi Ajin,

I’ve found a Local File Inclusion Vulnerablity in StaticAnalyzer/views.py (Version <= v0.9.2)

Detail: Bypass “md5” varriable by

  • An actual md5 string (e.g: an uploaded file) at the head.
  • Null-byte at the end of string

PoC:
http://127.0.0.1:8000/ViewSource/
?file=de/robv/android/xposed/installer/repo/RepoDb.java
&md5=36570c6fac687ffe08107e6a72bd3da7/…/…/…/…/…/…/…/…/…/…/…/private/etc/passwd%00
&type=apk

Before fixing: read /private/etc/passwd on MAC OS

After Fixed

I’m still working on contributing this great project.
Thanks for all

Related news

GHSA-f42p-vc8p-7x54: MobSF allows attackers to read arbitrary files via a crafted HTTP request

Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the `StaticAnalyzer/views.py` script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE