Authenticated Arbitrary local file read via path traversal
* Title : Authenticated Arbitrary local file read via path traversal
* Author: Kaustubh G. Padwad
* CVE-ID: CVE-2019-7387
* Vendor: Systrome Networks (http://systrome.com/about/)
* Products: 1.ISG-600C
* Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
* Severity: High--Critical
About the Product:
Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and small enterprises, branch interconnection, and chain enterprises.
A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin
devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal
via the name parameter.
The php file /system/maintenance/export.php does not properly validate the user input which leads to the path traversal vulberability below is the code sniped for vulnerable code
if ('isp' == $type)
$fname = $_GET['name'];
Affected Product Code Base
ISG-600C - ISG-V1.1-R2.1_TRUNK-20181105.bin
Impact Escalation of Privileges
Impact Information Disclosure
Attacker have to send the crafted request while authenticated
How to Reproduce: (POC):
1. visit the url http://device_ip/system/maintenance/export.php?type=isp&name=../../../../../../etc/passwd.
This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin
10-Dec-2018 Discoverd the Vulnerability
10-DEC-2018 Reported to vendor
04-JAN-2019 Recived the fixed from vendor
04-JAN-2019 Request for the CVE-ID
4-Feb-2019 CVE Assign.
8-Feb-2019 Advisiory Published
* Kaustubh Padwad
* Information Security Researcher
Jackpot city casino site | ChogocasinoReplyDelete
Jackpot 1xbet city casino site · Top Review · Casino Bonus up to 제왕 카지노 200% · Payment Methods · Security · Payouts of Deposits and choegocasino Withdrawals.