caglaroflazoglu
commented
4 years ago if (!isset($_SESSION['zpuid'])) {
not enough for this. can check the user group permissions and get the path from file or db.
Closed VedranIteh closed 9 months ago
caglaroflazoglu
commented
4 years ago if (!isset($_SESSION['zpuid'])) {
not enough for this. can check the user group permissions and get the path from file or db.
VedranIteh
commented
4 years ago yes, you have to be logged in first. or use another vulnerability like password reset bug to hijack someones account.
caglaroflazoglu
commented
4 years ago "getbindlog.php" file is not necessary. I think it can be removed (i removed it temporarily) and get bind logs in another way.
Thanks for this
Dukecitysolutions
commented
4 years ago Can you explain more about this? I'm using RestMan in Chrome. I set "POST" then use URL
http://example.com/modules/dns_admin/code/getbindlog.php/?inBindLog=/etc/sentora/panel/cnf/db.php&inViewLogs=1
It returns nothing.
I want to help fix the issue but can't replicate the issue. Than you for your help.
Dukecitysolutions
commented
4 years ago Never mind got it!!!
GlenCooper
commented
4 years ago :eyes:
TGates71
commented
1 year ago Resolved?
Dukecitysolutions
commented
9 months ago Fixed. Closing.
@5050 @TGates71 @MBlagui
Any sentora user can read the file system (e.g. /etc/passwd or /etc/sentora/panel/cnf/db.php). The first module I found this in dns_admin but this bad coding practice may be all over the place.
Description https://example.com/modules/dns_admin/code/getbindlog.php accepts post requests with a "inBindLog" variable that can contain a path to any file on the system and it just parses it out for you.
Example 1) Login to your sentora account 2) use restman(chrome extension) or other tool for creating POST requests 3) add 2 variables "inBindLog" with value of "/etc/passwd" and "inViewLogs" with value of 1 4) change inBindLog value for accessing various files e.g. "/etc/sentora/panel/cnf/db.php"