Webbdesign SL-Studio - Local File Inclusion

What is "Webbdesign SL-Studio - Local File Inclusion?"

The "Webbdesign SL-Studio - Local File Inclusion" module is designed to detect a vulnerability in the Webbdesign SL-Studio software. This vulnerability is classified as CWE-22 and has a severity level of high (CVSS Score: 7.5). The module aims to identify instances where the software is susceptible to local file inclusion attacks.

Author: 0x_Akoko

Impact

A successful local file inclusion attack on Webbdesign SL-Studio can allow an attacker to access sensitive files on the server. This can lead to unauthorized disclosure of sensitive information, such as system files or user credentials. It is crucial to address this vulnerability to prevent potential data breaches and unauthorized access.

How does the module work?

The module sends an HTTP GET request to the target URL with a specific parameter that includes a path traversal sequence. For example:

/index.php?page=../../../../../../../../../../etc/passwd

The module then applies matching conditions to the response received from the server. In this case, it checks if the response contains the string "root:[x*]:0:0" (indicating the presence of the root user in the /etc/passwd file) and if the HTTP status code is 200 (indicating a successful response).

If both conditions are met, the module reports a vulnerability, indicating that the target is vulnerable to local file inclusion.

Reference: https://cxsecurity.com/issue/WLB-2018110187

Metadata: max-request: 1, google-query: [empty]