Skip to content

NXNJZ

Linux and Security

  • BLOG
  • Cowsay Fortune
  • Contact
  • Gitlab
  • Company Homepage

Tag: lfi

CVE-2021-42052 full disclosure

Posted on August 4, 2022 - August 4, 2022 by nxnjz

Vulnerability Details

IPESA e-Flow 3.3.6 allows path traversal for reading any file within the web root directory via the lib/js/build/STEResource.res R parameter.

------------------------------------------

[Vulnerability Type]
Directory Traversal

------------------------------------------

[Vendor of Product]
IPESA

------------------------------------------

[Affected Product Code Base]
e-Flow - v.3.3.6

------------------------------------------

[Affected Component]
/lib/js/build/STEResource.res

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Basic path traversal sequence in the 'R' query parameter

------------------------------------------

[Discoverer]

nxnjz

------------------------------------------

[Reference]
https://ipesa.com/seccion/gestiondecolaseflow.html


Proof of Concept

https://example.tld/STE/lib/js/build/STEResource.res?R=../../../../../web.config

https://example.tld/lib/js/build/STEResource.res?R=../../../../../web.config
 

Timeline

  • May 31, 2021: Vulnerability discovered and reported to a bug bounty program. 
  • August 4, 2021: Bug bounty program resolved the issue on their affected site. 
  • October 6, 2021: Contacted e-Flow vendor via website form, no response.
  • October 7, 2021: CVE-2021-42052 reserved.
  • October 26, 2021, Contacted the vendor via their Whois registrant email address, no response.
  • October 26-29, 2021: Contacted the vendor via their Whatsapp customer service. They forwarded the issue. 
  • November 11, 2021: Received a request for vulnerability details from the vendor. 
  • November 11, 2021: Sent the requested info, and asked for an estimated time to resolution, no response. 
  • February 21, 2022: Asked the vendor for an update, no response. 
  • August 8, 2022: Publishing full disclosure. 
Posted in CVE / full disclosureTagged aspx, cve, fulldisclosure, lfiLeave a comment

Recent Posts

  • CVE-2021-42052 full disclosure
  • How to Set Up an Interactive SSH Honeypot on CentOS 8.
  • HackTheBox.eu Jarvis Writeup
  • How to setup a simple proxy server with tinyproxy (Debian 10 Buster)
  • How to Install qdPM 9.1 on Debian 10 LEMP

Tags

802.11 ampache apache aspx bash cd centos cms crm cve debian exploits fedora fulldisclosure hackthebox honeypot http httpd ifconfig iw iwconfig labs lfi linux mariadb memory monit music nginx pastebin php privatebin privesc project management proxy reconnoitre selinux shopt ssh systemd txpower ubuntu wallabag wireless xxe

Categories

  • BASH (1)
  • CTF/Labs (2)
  • CVE / full disclosure (1)
  • Information Gathering (1)
  • Linux (25)
  • Password Cracking (1)
  • Privilege Escalation (2)
  • SQL Injection (1)
  • Web-Shells (1)
  • Wifi (2)
  • XXE (1)

Recent Comments

  • Bernard Martiny on How to Install PrivateBin on Ubuntu 18.04 LTS
  • VuCSA on List of security labs/challenges/CTFs
  • Brian on How to Install PrivateBin on Fedora 29.
  • Tyreeb on Installing Ampache on CentOS 7.
  • Christian Mora on Installing Ampache on CentOS 7.