Vulnerabilities > CVE-2018-12604 - Information Exposure Through Log Files vulnerability in Njtech Greencms 2.3.0603

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
njtech
CWE-532
exploit available

Summary

GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.

Vulnerable Configurations

Part Description Count
Application
Njtech
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Exploit-Db

descriptionGreenCMS 2.3.0603 - Information Disclosure. CVE-2018-12604. Webapps exploit for PHP platform
fileexploits/php/webapps/44922.txt
idEDB-ID:44922
last seen2018-06-22
modified2018-06-22
platformphp
port
published2018-06-22
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44922/
titleGreenCMS 2.3.0603 - Information Disclosure
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/148281/greencms230603-disclose.txt
idPACKETSTORM:148281
last seen2018-06-23
published2018-06-22
reportervr_system
sourcehttps://packetstormsecurity.com/files/148281/GreenCMS-2.3.0603-Information-Disclosure.html
titleGreenCMS 2.3.0603 Information Disclosure