Skip to content

Instantly share code, notes, and snippets.

@mariuszpoplawski

mariuszpoplawski/gist:1e7893bcd6ee58637150c8bb72137742

Last active September 22, 2020 09:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mariuszpoplawski/1e7893bcd6ee58637150c8bb72137742 to your computer and use it in GitHub Desktop.
Save mariuszpoplawski/1e7893bcd6ee58637150c8bb72137742 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
CVE- IN Progress
------------------------------------------
Local file read from web root via crafted URI in commandbox <= 5.1.1 allows remote attackers to fetch sensitive files from WEB-INF/ containing for example database connection strings, smtp credentials. Fetched encrypted connection strings can be easily decrypted due to hardcoded secret KEY for all instances of commandbox.
------------------------------------------
[Additional Information]
Example payload:
http://192.168.1.22:50100/lucee//WEB-INF/lucee-server/context/lucee-server.xml
Hardcoded salt for all encrypted connection strings:
variables.dataSourceSalt = 'sdfsdfs';
Tool for decryption:
https://github.com/bdw429s/RailoPasswordManagement
------------------------------------------
[Vendor of Product]
https://commandbox.ortusbooks.com/
------------------------------------------
[Affected Product Code Base]
commandbox-jre <= 5.1.1
------------------------------------------
[Affected Component]
lucee
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Attack Vectors]
To exploit vulnerability attacker must have access to the website. Vulnerability can be exploited by remote unauthenticated users.
------------------------------------------
[Discoverer]
Mariusz Popławski (afine.pl)
------------------------------------------
Mariusz Popławski / AFINE.com team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment