search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.15k stars 2.6k forks source link

CVE-2022-29303 - False positive #8601

Closed 0xPugal closed 10 months ago

0xPugal commented 11 months ago

Hey, The CVE-2022-29303 in Nuclei often show critical Vulnerability. This looks like false positive. the matcher has -"root:.*:0:0". but it doesn't return the content of /etc/passwd. instead it shows some code in javascript file.

root:t}}(o.url),c= some js code

Nuclei Version: v3.0.3 (latest)

Template file: http/cves/2022/CVE-2022-29303.yaml

Command to reproduce:

nuclei -u  https://abc.com -id CVE-2022-29303 -debug

Anything else:

[CVE-2022-29303] [http] [critical] https://abc.com/conf_mail.php
DhiyaneshGeek commented 11 months ago

Hi @0xPugazh i'm unable to replicate this issue 

geekfreak@localhost ~ % nuclei -u  https://abc.com -id CVE-2022-29303 -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.3

        projectdiscovery.io

[INF] Current nuclei version: v3.0.3 (latest)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2022-29303] Dumped HTTP request for https://abc.com/conf_mail.php

POST /conf_mail.php HTTP/1.1
Host: abc.com
User-Agent: Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Connection: close
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

mail_address=%3Bcat${IFS}/etc/passwd%3B&button=%83%81%81%5B%83%8B%91%97%90M
[DBG] [CVE-2022-29303] Dumped HTTP response https://abc.com/conf_mail.php

HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 1053
Content-Type: text/html
Date: Tue, 14 Nov 2023 05:56:23 GMT
Server: CloudFront
Via: 1.1 efe084c020e92c5aaed2cec86751428c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: KcPt12Vy9N1NqBgh8j7faDQAVjrWG1UVXr7JTpsJU90dsh3l6OcAKQ==
X-Amz-Cf-Pop: BOM54-P2
X-Cache: Error from cloudfront

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: KcPt12Vy9N1NqBgh8j7faDQAVjrWG1UVXr7JTpsJU90dsh3l6OcAKQ==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
0xPugal commented 11 months ago

Hey @DhiyaneshGeek i just use abc.com as target example

DhiyaneshGeek commented 10 months ago

Hi @0xPugazh i have DM you on discord and twitter about this issue.

Looking forward to hear back from you

Thanks !

DhiyaneshGeek commented 10 months ago

Hi @0xPugazh i have fixed the issue and raised PR #8676 , let me know if it looks good

Thanks