module
Icingaweb Directory Traversal in Static Library File Requests
| Disclosed |
|---|
| May 9, 2022 |
Disclosed
May 9, 2022
Description
Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an
unauthenticated directory traversal vulnerability. The vulnerability is triggered
through the icinga-php-thirdparty library, which allows unauthenticated users
to retrieve arbitrary files from the targets filesystem via a GET request to
/lib/icinga/icinga-php-thirdparty/ as the user
running the Icingaweb server, which will typically be the www-data user.
This can then be used to retrieve sensitive configuration information from the target
such as the configuration of various services, which may reveal sensitive login
or configuration information, the /etc/passwd file to get a list of valid usernames
for password guessing attacks, or other sensitive files which may exist as part of
additional functionality available on the target server.
This module was tested against Icingaweb 2.9.5 running on Docker.
unauthenticated directory traversal vulnerability. The vulnerability is triggered
through the icinga-php-thirdparty library, which allows unauthenticated users
to retrieve arbitrary files from the targets filesystem via a GET request to
/lib/icinga/icinga-php-thirdparty/ as the user
running the Icingaweb server, which will typically be the www-data user.
This can then be used to retrieve sensitive configuration information from the target
such as the configuration of various services, which may reveal sensitive login
or configuration information, the /etc/passwd file to get a list of valid usernames
for password guessing attacks, or other sensitive files which may exist as part of
additional functionality available on the target server.
This module was tested against Icingaweb 2.9.5 running on Docker.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.