OsClass 3.4.1 - Local File Inclusion (LFI)
Advisory ID: RO-14-003
CVE ID: CVE-2014-6308
Severity: Critical
Vendor: OsClass
Product: OsClass
Version: 3.4.1
Overview #
A Local File Inclusion (LFI) vulnerability exists in OsClass version 3.4.1 that allows remote attackers to include arbitrary files from the server.
Vulnerability Details #
Affected Versions: 3.4.1 and earlier
Root Cause: Insufficient validation of user-supplied input allows attackers to manipulate file paths and include local files.
Exploitation Requirements #
- No authentication required
- Direct access to the vulnerable endpoint
Impact #
Remote attackers can exploit this vulnerability to:
- Read sensitive configuration files
- Access database credentials
- View source code
- Potentially achieve remote code execution
Proof of Concept #
Details available upon request.
Solution #
Upgrade to a patched version of OsClass that includes proper input validation for file inclusion operations.
References #
Timeline:
- [2014-01-01] - Discovered
Credits: Omar Kurt