CVE-2023-37599 PoC — Issabel PBX 安全漏洞

Source

Associated Vulnerability

Description

Directory Listing vulnerability in issabel-pbx 4.0.0-6 exposing application sensitive files

Readme

## issabel-pbx 4.0.0-6 - Directory Listing ###

**Description:**
Issabel-pbx v.4.0.0-6 is vulnerable to Broken Access Control. The Directory Listing vulnerability allows any remote attacker to view the application's sensitive files within the modules directory of the application without any authorization.

**Vulnerable Product Version:**
issabel-pbx 4.0.0-6

**Date:**
10/07/2023

**CVE:** 
CVE-2023-37599

**CVE Author:**
Sahil Ojha

**Vendor Homepage:**
https://www.issabel.org/

**Software Link:** 
https://github.com/IssabelFoundation/issabelPBX

**Tested on:** 
Windows

**Steps to reproduce:**
1.	Navigate to URL: https://{Issabel IP}/module. I found out that many important files of application can be accessed directly from this directory listing.

   ![HTML Render](https://github.com/sahiloj/CVE-2023-37599/blob/main/1.png)
   ---
   
   ![HTML Render](https://github.com/sahiloj/CVE-2023-37599/blob/main/2.png)
   ---

  ![HTML Render](https://github.com/sahiloj/CVE-2023-37599/blob/main/3.png)
   ---
   
   ![HTML Render](https://github.com/sahiloj/CVE-2023-37599/blob/main/4.png)
   ---

File Snapshot

 [4.0K]  /data/pocs/a872fec8374379df78b3b91b49f7a4b732dd29c8
├── [132K]  1.png
├── [146K]  2.png
├── [138K]  3.png
├── [ 38K]  4.png
└── [1.1K]  README.md

0 directories, 5 files

Remarks