EzGED3 Unauthenticated Arbitrary File Read Vulnerability Allowing Administrative Takeover

A vulnerability allowing unauthenticated arbitrary file reads has been identified in EzGED3 version 3.5.0. This issue arises from improper access controls and inadequate input validation in a PHP script accessible through the web interface. The vulnerability enables remote attackers to exploit directory traversal techniques to access sensitive files such as configuration files, database dumps, source code, and password reset tokens. In environments where phpMyAdmin is available, extracted credentials can be used for direct administrative access. Even without such tools, the ability to read certain files can facilitate full database extraction by targeting raw MySQL data files.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive files, including database credentials and application source code. This access can be leveraged for full administrative takeover of the application, bypassing authentication requirements.

Reproduction

The vulnerability can be reproduced by accessing the '/data/' directory, where directory listing is enabled. This reveals files that can be targeted for arbitrary reading via the 'showparaphdocs.php' script. The 'path' parameter can be manipulated to perform directory traversal attacks, accessing sensitive files like the database configuration. Once the database credentials are obtained, they can be used to access the database directly or, if phpMyAdmin is available, to log in as an administrator.

Remediation

Users are advised to update to EzGED3 version 3.5.72.27183 or later, where this vulnerability has been fixed.