Chadha PHPKB 9.0 Enterprise Edition arbitrary file disclosure

Summary

Chadha PHPKB 9.0 Enterprise Edition is affected by an arbitrary file disclosure: installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.

Product Description (from vendor)

“PHPKB is a knowledge base software that keeps information organized, accessible, and easy to manage for internal teams and external customers.”. For more information visit https://www.knowledgebase-script.com/.

CVE(s)

Details

Root Cause Analysis

During the installation process, the installer/test-connection.php API endpoint allows the user to test if the database connection works correctly by testing the MySQL hostname, username and password input information. However, after the setup is completed, that API endpoint is still available to any unauthenticated user. If the host is configured with PHP before 7.2.16 or the MySQL ALLOW LOCAL DATA INFILE option is enabled, an unauthenticated attacker is able to read arbitrary local files on the PHPKB host.

Proof of Concept

We have published CVE-2020-11579.py to help with this issue in particular and similar scenarios: basically it starts a malicious MySQL server locally and then sends the HTTP request necessary to trigger the interaction and exfiltrate the file.

Impact

A low-privileged attacker can gain access to arbitrary local files on the PHPKB host.

Remediation

Upgrade to the latest 9.0 version available or later. (Note: we didn’t verify the patch.)

Disclosure Timeline

This report was subject to Shielder’s disclosure policy:

  • 06/04/2020:
  • 28/07/2020:
    • Shielder’s advisory is made public

Credits

`polict` of Shielder

This advisory was first published on https://www.shielder.com/advisories/chadha-phpkb-arbitrary-file-disclosure/

Date

28 July 2020