glFusion 1.3.0 Blind SQL Injection

glFusion 1.3.0 Blind SQL Injection

OsClass 3.4.1 - Local File Inclusion glFusion 1.3.0 Blind SQL Injection

OsClass 3.4.1 - Local File Inclusion (LFI)
Advisory ID: RO-14-003
CVE ID: CVE-2014-6308
Severity: Critical
Vendor: OsClass
Product: OsClass
Version: 3.4.1


Overview #

A Local File Inclusion (LFI) vulnerability exists in OsClass version 3.4.1 that allows remote attackers to include arbitrary files from the server.


Vulnerability Details #

Affected Versions: 3.4.1 and earlier

Root Cause: Insufficient validation of user-supplied input allows attackers to manipulate file paths and include local files.


Exploitation Requirements #

No authentication required
Direct access to the vulnerable endpoint

Impact #

Remote attackers can exploit this vulnerability to:

Read sensitive configuration files
Access database credentials
View source code
Potentially achieve remote code execution

Proof of Concept #

Details available upon request.


Solution #

Upgrade to a patched version of OsClass that includes proper input validation for file inclusion operations.


References #

CVE-2014-6308

Timeline:

[2014-01-01] - Discovered

Credits: Omar Kurt