SNT has found a Local File Inclusion (LFI) vulnerability in the /log and /hist parameter that allows an attacker to view the server’s content through a web browser. This is caused due to improper sanitization of user-supplied input. Depending on severity, this vulnerability can lead to Code execution, denial of service, or sensitive information disclosure. The affected version of is unknown and SNT assumes it affects all versions of the product.
The web application RecordFusion is vulnerable to an LFI by inputting characters after the following directory:
-
http://127.0.0.1/logger/log?/../../../../../
-
http://127.0.0.1/logger/hist?/../../../../../
By navigating to the crafted URL, an attacker is able to see the C:/ drive directory.
Remediation: The vendor has not responded to requests.
Edgar Bustos, OSCP
Information Security Engineer
Secure Network Technologies, Inc