CVE-2019-18393 PoC — Ignite Realtime Openfire 路径遍历漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-18393.yaml

Associated Vulnerability

Title:Ignite Realtime Openfire 路径遍历漏洞 (CVE-2019-18393)
Description:Ignite Realtime Openfire是Ignite Realtime社区的一款采用Java开发且基于XMPP（前称Jabber，即时通讯协议）的跨平台开源实时协作（RTC）服务器，它能够构建高效率的即时通信服务器，并支持上万并发用户数量。 Ignite Realtime Openfire 4.4.2及之前版本中的PluginServlet.java文件存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。

Description

Ignite Realtime Openfire through 4.4.2 is vulnerable to local file inclusion via PluginServlet.java. It does not ensure that retrieved files are located under the Openfire home directory.

File Snapshot


 id: CVE-2019-18393

info:
  name: Ignite Realtime Openfire <4.42 - Local File Inclusion
  author: pi

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!