CVE-2012-1790
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
6.0
Description
Absolute path traversal vulnerability in Webgrind 1.0 and 1.0.2 allows remote attackers to read arbitrary files via a full pathname in the file parameter to index.php.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
webgrind 1.0 - 'file' Local File Inclusion
webgrind 1.0 (file param) Local File Inclusion Vulnerability
Vendor: Joakim Nygard and Jacob Oettinger
Product web page: http://code.google.com/p/webgrind
Affected version: 1.0 (v1.02 in trunk on github)
Summary: Webgrind is an Xdebug profiling web frontend in PHP5.
Desc: webgrind suffers from a file inlcusion vulnerability (LFI)
when input passed thru the 'file' parameter to index.php is not
properly verified before being used to include files. This can be
exploited to include files from local resources with directory
traversal attacks and URL encoded NULL bytes.
----------------------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
----------------------------------------
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.9
MySQL 5.5.20
Vulnerability discovered by Michael Meyer
michael.meyer greenbone net
Vendor status:
[22.02.2012] Vulnerability discovered.
[22.02.2012] Vendor notified.
[24.02.2012] No response from the vendor.
[25.02.2012] Public security advisory released.
Advisory ID: ZSL-2012-5075
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php
Vendor: http://code.google.com/p/webgrind/issues/detail?id=66
22.02.2012
---
http://<host>/webgrind/index.php?file=/etc/passwd&op=fileviewer
http://<host>/webgrind/index.php?file=/boot.ini&op=fileviewerApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| webgrind_project | webgrind | 1.0 | |
References
- http://code.google.com/p/webgrind/issues/detail?id=66
- http://packetstormsecurity.org/files/110216
- http://www.exploit-db.com/exploits/18523
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73509
- http://code.google.com/p/webgrind/issues/detail?id=66
- http://packetstormsecurity.org/files/110216
- http://www.exploit-db.com/exploits/18523
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73509
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.