Product Owner: Lionwiki
Application Name: Lionwiki 3.2.11
CVE ID: CVE-2020-27191
Severity: Moderate
Authentication: Not Required
Complexity: Easy
Vulnerability Name: Local File Inclusion in ‘/index.php?page=&action=edit&f1=LFI&restore=1’
Vulnerability Explanation: A crafted string in the f1 GET variable during a restore action allows an attacker to bypass LFI filtering and include files.
Verified In: Firefox 80.0.1 (64-bit) Linux Mint 20 Hosted using Apache 2.4.41
Steps to Reproduce: This vulnerability is fairly simple to exploit. After identifying that the server is running Lionwiki version 3.2.11 or earlier, navigate your browser to SITEURL/index.php?page=&action=edit&f1={INJECTION-POINT}&restore=1. {INJECTION-POINT} should be replaced with the file you would like to include. Since Lionwiki using basic LFI filtering a LFI filter evasion pattern must be used in order to move up direcctories. Multiple patterns can be used, an example of a valid pattern is .//./FILENAME. To move up multiple directories use the .//./\\ pattern. For example, to read the /etc/passwd file this string could be used .//./\\.//./\\.//./\\.//./\\.//./\\.//./etc/passwd.
Vulnerability Explaination: Let's take a look at why this exploit works.
When reviewing a file for restoration the contents of the f1 GET variable are interpered as a file and the contents are read in. Before being read in, the f1 variable is parsed by the clear_path() funcction which attempts to prevent an LFI by filtering various characters using the str_replace() function. The relevent code block is listed below.
Let's walk through this code with the example exploit string from above, ../\\../\\../\\../\\../\\../etc/passwd. When this string is passed into the clear_path function the function removes all '..', '<', '>', '"', '//', '/.', '\\' strings, in that order. No '..', '<', '>', or '"' substrings are present in the initial string, so those are skipped. All '//' substrings are then removed, resulting in a f1 string of ../\\../\\../\\../\\../\\../etc/passwd. No '/.' substrings are present in this string, so it is skipped. Lastly, all '\\' substrings are removed, resulting in the final file inclusion string of ../../../../../../etc/passwd. Voila, we have an inclusion of the /etc/passwd file.
Happy Hacking
-June