CVE-2023-38399 - Averta Phlox Portfolio Path Traversal Vulnerability Allows PHP Local File Inclusion

A recent vulnerability has been discovered and assigned the identifier CVE-2023-38399. The vulnerability is classified as an "Improper Limitation of a Pathname to a Restricted Directory" or, more commonly, a "Path Traversal" vulnerability in Averta Phlox Portfolio. This security issue allows a malicious actor to perform a PHP Local File Inclusion (LFI) attack, potentially allowing unauthorized access to sensitive information or system-level access. As of this writing, this vulnerability affects Phlox Portfolio versions from n/a through 2.3.1.

Details of the Vulnerability

The Path Traversal vulnerability exists in the way that Averta Phlox Portfolio handles external parameters. Since user-supplied parameters are not correctly validated, an attacker can exploit this vulnerability to traverse outside of the intended restricted directory. In addition, the attacker can include arbitrary PHP files, which can lead to local file inclusion, ultimately resulting in unauthorized access to sensitive information, or even the compromise of the entire system.

The vulnerable code in question is located in the "phlox-portfolio.php" file, as shown below

<?php
// ...
if (isset($_GET['file'])) {
    $filename = $_GET['file'];
    include($filename);
}
// ...
?>

As one can see, the 'file' parameter is directly passed to the "include" function without any proper validation, making it vulnerable to Path Traversal and LFI.

Proof of Concept (PoC)

To demonstrate the vulnerability, we can create a simple PoC by sending the following HTTP GET request to the target application:

http://target-site/phlox-portfolio.php?file=../../../../etc/passwd

This request would exploit the path traversal vulnerability, including the '/etc/passwd' file in the server's response, thus leaking sensitive information.

Original References

- CVE-2023-38399 on MITRE
- CVE-2023-38399 on NIST (National Vulnerability Database)

Exploit Details

To exploit this vulnerability, an attacker would only need to send crafted requests to the target application, manipulating the 'file' parameter to access desired files or resources within the server. This can lead to sensitive information disclosure, unauthorized access, or potentially server compromise.

Mitigation

To protect against this Path Traversal vulnerability, it is recommended that users update their Phlox Portfolio version to a patched and secure version as soon as it becomes available. The developers of the Averta Phlox Portfolio should implement proper validation and sanitization of user-supplied input data, ensuring that all inputs are restricted to expected values. This will prevent malicious actors from exploiting insecure direct object references and prevent unauthorized access to files and directories so that your application remains secure.

Timeline

Published on: 05/17/2024 07:15:58 UTC
Last modified on: 06/04/2024 17:28:18 UTC