Closed VedranIteh closed 9 months ago
if (!isset($_SESSION['zpuid'])) {
not enough for this. can check the user group permissions and get the path from file or db.
yes, you have to be logged in first. or use another vulnerability like password reset bug to hijack someones account.
"getbindlog.php" file is not necessary. I think it can be removed (i removed it temporarily) and get bind logs in another way.
Thanks for this
Can you explain more about this? I'm using RestMan in Chrome. I set "POST" then use URL
http://example.com/modules/dns_admin/code/getbindlog.php/?inBindLog=/etc/sentora/panel/cnf/db.php&inViewLogs=1
It returns nothing.
I want to help fix the issue but can't replicate the issue. Than you for your help.
Never mind got it!!!
:eyes:
Resolved?
Fixed. Closing.
@5050 @TGates71 @MBlagui
Any sentora user can read the file system (e.g. /etc/passwd or /etc/sentora/panel/cnf/db.php). The first module I found this in dns_admin but this bad coding practice may be all over the place.
Description https://example.com/modules/dns_admin/code/getbindlog.php accepts post requests with a "inBindLog" variable that can contain a path to any file on the system and it just parses it out for you.
Example 1) Login to your sentora account 2) use restman(chrome extension) or other tool for creating POST requests 3) add 2 variables "inBindLog" with value of "/etc/passwd" and "inViewLogs" with value of 1 4) change inBindLog value for accessing various files e.g. "/etc/sentora/panel/cnf/db.php"