CVE-2018-19328

Vulnerability

The vulnerability exists in LAOBANCMS 2.0, specifically in the file install/mysql_hy.php. The script fails to sanitize the riqi parameter, which is concatenated into a path used with PHP's scandir() function. This allows an attacker to traverse directories outside the intended ../data/ directory. The i parameter is also controllable, enabling indexing into the resulting array of files.

Exploitation

An attacker can exploit this without authentication by sending a GET request to install/mysql_hy.php?riqi=../../../../../../&i=. The riqi parameter specifies the target directory, and i selects which item from the directory listing to retrieve. The PoC demonstrates using indices 3-8 to reveal root directories on Linux (e.g., boot, dev). No authentication or user interaction is required.

Impact

Successful exploitation allows an attacker to list the contents of any directory on the server that the web server has read access to. This can disclose sensitive file and directory names, aiding in further attacks. The impact is limited to information disclosure; no direct file read or code execution is demonstrated.

Mitigation

According to the reference [1], no fix has been released for LAOBANCMS 2.0. Users should apply proper input validation to the riqi and i parameters, or remove or restrict access to the install directory. As of the publication date (2018-11-17), no patch is available.