Primary

Context

Xinhu Rainrock RockOA Information Disclosure Vulnerability in index.php

Vulnerability

A phpinfo() information disclosure vulnerability exists in Xinhu Rainrock RockOA version 2.7.0. This issue allows attackers to access sensitive server configuration details by invoking the phpinfo() function through specific URL parameters. The vulnerability arises because the phpinfoAction() method in index.php calls phpinfo() without proper access controls, exposing information such as the PHP version, file paths, configuration parameters, environment variables, and potentially database connection details.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of sensitive server information, including PHP and database connection details, which could be leveraged for further attacks.

Reproduction

To reproduce this vulnerability, send a request to index.php with the parameters a=phpinfo and m=index. Ensure that the request includes valid session cookies to access the target system.

Added: Dec 9, 2025, 5:19 PM

Updated: Dec 9, 2025, 11:12 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

1.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

1.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Xinhu Rainrock RockOA Information Disclosure Vulnerability in index.php

Vulnerability

Impact

Reproduction

Affected Products

Xinhu Rainrock RockOA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating