FineReport 8.0 - Local File Inclusion

What is "FineReport 8.0 - Local File Inclusion?"

The "FineReport 8.0 - Local File Inclusion" module is designed to detect a vulnerability in the FineReport 8.0 software. FineReport is a reporting and data analysis tool used by organizations to create and manage reports. This module specifically targets the FineReport 8.0 version and identifies instances of local file inclusion.

This vulnerability is classified as CWE-22 and has a severity rating of high. It can potentially allow an attacker to include arbitrary files from the local file system, leading to unauthorized access and potential data leakage.

This module was authored by pikpikcu.

Impact

A successful exploitation of the FineReport 8.0 local file inclusion vulnerability can have serious consequences. It may allow an attacker to access sensitive files on the server, such as configuration files or user credentials. This can lead to further attacks, data breaches, or unauthorized access to the system.

How does the module work?

The "FineReport 8.0 - Local File Inclusion" module works by sending HTTP requests to specific endpoints in the FineReport application. It checks for the presence of certain patterns in the response body and verifies the HTTP status code to determine if the vulnerability is present.

One example of an HTTP request template used by this module is:

GET /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml

The module then applies matching conditions to the response to confirm the presence of the vulnerability. In this case, it checks if the response body contains the strings "<rootManagerName>" and "<rootManagerPassword>". Additionally, it verifies that the HTTP status code is 200.

If all matching conditions are met, the module reports the vulnerability, indicating the presence of the FineReport 8.0 local file inclusion vulnerability.

For more information, you can refer to the reference provided.

Metadata: [insert metadata here]