Skip to content

Latest commit

 

History

History
47 lines (36 loc) · 2.41 KB

writeup.md

File metadata and controls

47 lines (36 loc) · 2.41 KB
title date draft toc images tags
Arbitrary file write in Stimulsoft.Dashboards.PHP - CVE-2024-24398
2024-02-05 09:17:50 UTC
false
false
stimulsoft

Affected Product: Stimulsoft Dashboards.PHP

Affected Versions: <2024.1.2

Fixed Version: 2024.1.3

CVE-Number: CVE-2024-24398

Severity: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)

Discovered by Ing. Simon Schönegger, BSc, MSc, DI Lukas Hammer, BSc

During security research, the researchers discovered that Stimulsoft Dashboards.PHP is prone to multiple vulnerabilities including arbitrary file write.

In order to exploit this vulnerability an attacker is only required to visit the Dashboards Application. This vulnerability is rated as unauthtenticated, since this product does not handle authentication on its own.

Proof of Concept

It was identified that the fileName parameter in the request to save the report on the server is prone to an arbitrary file write vulnerability.

Normally the file gets written to <webroot>/php/reports. However, if the attacker includes a path like ../arbitraryWrite.mrt the function to save the file includes this as <webroot>/php/reports/../arbitraryWrite.mrt which finally results in <webroot>/php/arbitraryWrite.mrt.

The file can be written to any location the webserver's user has access to.

Vendor contact timeline

Date Action
2024/01/10 Discovery of the vulnerability
2024/01/10 Researchers inform vendor about the vulnerability
2024/01/19 Vendor informs the researchers, that the vulnerability will be fixed with 2024.1.3
2024/01/19 Stimulsoft Dashboards.PHP 2024.1.3 is released
2024/01/19 Disclosure of the vulnerability to MITRE
2024/02/02 MITRE assigns CVE-2024-24398