Cab fare calculator < 1.0.4 – Unauthenticated LFI | CVE 2022-1391

Description

The plugin does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

Despite what the original advisory claims, the issue is not exploitable by accessing the file directly as a fatal error is triggered before the vulnerable code is reached, however can be exploited by unauthenticated attackers via other requests

Proof of Concept

https://example.com/?controller=../../../index&action=1&ajax=1
https://example.com/?controller=../../../index&action=1&pg=tblight

Affects Plugins

cab-fare-calculator

Fixed in 1.0.4

References

CVE

CVE-2022-1391

Exploitdb

50843

URL

https://packetstormsecurity.com/files/#166533/

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Hassan Khan Yusufzai - Splint3r7

Verified

Yes

WPVDB ID

680121fe-6668-4c1a-a30d-e70dd9be5aac

Timeline

Publicly Published

2022-03-30 (about 2 years ago)

Added

2022-03-30 (about 2 years ago)

Last Updated

2022-07-27 (about 1 years ago)

Other

Published

Title

Published

2016-10-28

Title

SAM Pro (Free Edition) < 1.9.7.69 - Local File Inclusion (LFI)

Published

2014-08-01

Title

DM Albums - Multiple Remote File Disclosure

Published

2024-01-26

Title

Backuply – Backup, Restore, Migrate and Clone < 1.2.4 - Admin+ Directory Traversal

Published

2023-05-10

Title

Directorist < 7.5.4 - Admin+ LFI

Published

2016-08-23

Title

Mail Masta <= 1.0 - Unauthenticated Local File Inclusion (LFI)