Description: This allows arbitrary files to be read from the server.
Versions Affected: 9.0
Researcher: Dwight Hohnstein (https://twitter.com/djhohnstein)
Disclosure Link: https://rhinosecuritylabs.com/research/remote-code-execution-bug-hunting-chapter-2/
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2017-7282
The function downloadFile in api/includes/restore.php blindly accepts any filename passed as valid. This allows an attacker to read any file on the filesystem.
Headers required:
AuthToken (aka "token" cookie given at login, no quotes around b64 value)
Parameters:
filename - the file to read from disk..
CVE-2017-7282.py -u TARGET -U USER -P PASSWORD
