Skip to content

Latest commit

 

History

History
 
 

CVE-2017-7282

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

CVE-2017-7282: Unitrends Enterprise Backup Solution LFI

Information

Description: This allows arbitrary files to be read from the server.
Versions Affected: 9.0
Researcher: Dwight Hohnstein (https://twitter.com/djhohnstein)
Disclosure Link: https://rhinosecuritylabs.com/research/remote-code-execution-bug-hunting-chapter-2/
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2017-7282

Proof-of-Concept Exploit

Description

The function downloadFile in api/includes/restore.php blindly accepts any filename passed as valid. This allows an attacker to read any file on the filesystem.

Headers required:

AuthToken (aka "token" cookie given at login, no quotes around b64 value)

Parameters:

filename - the file to read from disk..

Usage/Exploitation

CVE-2017-7282.py -u TARGET -U USER -P PASSWORD

Screenshot

Alt-text that shows up on hover