Giters

maddsec / CVE-2023-34598

Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Gibbon v25.0.0 - Local File Inclusion - CVE-2023-34598

Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.

Proof of Concept

In order to exploit the vulnerability, an attacker would need to manipulate the "q" parameter to query a local file. This manipulation would cause the file to be included in the server's response. However, it's important to note that this exploit is only effective for files located within the installation folder and under specific conditions, which exclude PHP files, for instance.

http://gibbon.local/q=./file

image

image

Vendor information:

Name: Gibbon URL: https://gibbonedu.org Github repo: https://github.com/GibbonEdu/core

About

Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.