← Advisories

InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability

High

Advisory ID

ZSL-2016-5370

Release Date

28 October 2016

Vendor

Austin Hughes Electronics Ltd. - http://www.austin-hughes.com

Affected Version

Q213V1 (Firmware: V2395S)

CVE

N/A

Tested On

Linux 2.6.28 (armv5tel), lighttpd/1.4.30-devel-1321, PHP/5.3.9, SQLite/3.7.10

Summary

InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.

Description

InfraPower suffers from a file disclosure vulnerability when input passed thru the 'file' parameter to 'ListFile.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.

	/ListFile.php:
------------------------

if(isset($_GET['file'])){
	   $handle = $_GET['file'];
   $fp = fopen('/ramdisk/'.$handle, 'r');
   while(!feof($fp)){
       $tmp=fgets($fp,2000);
       $tmp = str_replace("\n","<br />",$tmp);
       echo $tmp;
   }
   fclose($fp);
}

Proof of Concept

infrapower_lfi.txtTXT

Disclosure Timeline

27.09.2016Vulnerability discovered.

03.10.2016Vendor contacted.

04.10.2016Vendor responds asking more details.

04.10.2016Sent details to the vendor.

06.10.2016Vendor has released a new firmware version that addresses these issues.

28.10.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References