漏洞描述
Zenphoto setup page before version 1.5 is susceptible to sensitive information disclosure due to misconfiguration.
zenphoto-setup: Zenphoto <1.5 Installer - Detect
PoC代码[已公开]
id: zenphoto-setup
info:
name: Zenphoto <1.5 Installer - Detect
author: pdteam
severity: critical
description: Zenphoto setup page before version 1.5 is susceptible to sensitive information disclosure due to misconfiguration.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
cvss-score: 9.4
cwe-id: CWE-284
cpe: cpe:2.3:a:zenphoto:zenphoto:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
shodan-query: title:"Zenphoto install"
product: zenphoto
vendor: zenphoto
tags: misconfig,panel,zenphoto,setup,installer,vuln
http:
- method: GET
path:
- '{{BaseURL}}/zp-core/setup/index.php'
- '{{BaseURL}}/zp/zp-core/setup/index.php'
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
- '{{BaseURL}}/zenphoto/zp-core/setup/index.php'
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- Welcome to Zenphoto! This page will set up Zenphoto
# digest: 4a0a00473045022100ddb65d5a5d7e4b2ee255ddf766a6c45f97d636816fb6925b6c0dc087c471d3de02203fbe92c461dc2a18d3d435b780d9a66ad14c2658e43d0b16dccd247fb687e0da:922c64590222798bb761d5b6d8e72950