Goby/json/Laravel-Framework-Voyager-Path-traversal.json

{
  "Name": "Laravel Framework Voyager Path traversal",
  "Description": "Voyager is a Laravel background management extension package that provides CRUD operations, media management, menu construction, data management and other operations. There is a path traversal vulnerability in Voyager version 1.3.0, which enables arbitrary file reading (no login is required), which can lead to disclosure of sensitive information and even further control of the server.",
  "Product": "Laravel-Framework",
  "Homepage": "https://laravel.com/",
  "DisclosureDate": "2021-06-01",
  "Author": "atdpa4sw0rd@gmail.com",
  "GobyQuery": "(product=\"Laravel-Framework\" || body=\"/admin/voyager-assets\")",
  "Level": "3",
  "Impact": "<p><span style=\"font-size: 16px; color: rgb(0, 0, 0);\">Voyager is a Laravel background management extension package that provides CRUD operations, media management, menu construction, data management and other operations.</span></p><p><span style=\"font-size: 16px; color: rgb(0, 0, 0);\">There is a path traversal vulnerability in Voyager version 1.3.0, where an attacker can traverse any file on the server through directory redirection, and access data, file directories, or some secret files (such as server probe files, webmaster background access addresses, database connection files, server configuration files, system files, etc.) outside of legitimate applications, resulting in data disclosure and even server intrusion.</span></p>",
  "Recommendation": "<p><span style=\"font-size: 16px; color: rgb(0, 0, 0);\">1. The vulnerability has been officially fixed. Please download a patch to fix the vulnerability / upgrade to the latest version: <a href=\"https://github.com/the-control-group/voyager.\">https://github.com/the-control-group/voyager.</a></span></p><p><span style=\"font-size: 16px; color: rgb(0, 0, 0);\">2. Set access policy and whitelist access through security devices such as firewalls.</span></p><p><span style=\"font-size: 16px; color: rgb(0, 0, 0);\">3. If it is not necessary, public network access to the system is prohibited.</span></p>",
  "References": [
    "https://fofa.so/"
  ],
  "HasExp": true,
  "ExpParams": [
    {
      "name": "cmd",
      "type": "input",
      "value": "/etc/passwd"
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/test.php",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "test",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": null,
  "Tags": [
    "File Inclusion"
  ],
  "CVEIDs": null,
  "CVSSScore": "0.0",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}