Chadha PHPKB 9.0 Enterprise Edition is affected by an arbitrary file disclosure: installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.
“PHPKB is a knowledge base software that keeps information organized, accessible, and easy to manage for internal teams and external customers.”. For more information visit https://www.knowledgebase-script.com/.
During the installation process, the
installer/test-connection.php API endpoint allows the user to test if the database connection works correctly by testing the MySQL hostname, username and password input information. However, after the setup is completed, that API endpoint is still available to any unauthenticated user.
If the host is configured with PHP before 7.2.16 or the MySQL ALLOW LOCAL DATA INFILE option is enabled, an unauthenticated attacker is able to read arbitrary local files on the PHPKB host.
We have published CVE-2020-11579.py to help with this issue in particular and similar scenarios: basically it starts a malicious MySQL server locally and then sends the HTTP request necessary to trigger the interaction and exfiltrate the file.
A low-privileged attacker can gain access to arbitrary local files on the PHPKB host.
Upgrade to the latest 9.0 version available or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
28 July 2020