Xerte Online Toolkits Information Disclosure Vulnerability in the Setup Page

An information disclosure vulnerability has been identified in Xerte Online Toolkits versions 3.15 and earlier. This vulnerability allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. By sending a GET request to the /setup page, attackers can access the exposed root_path value in the HTML response. This path disclosure could be exploited to navigate the filesystem or target path-dependent vulnerabilities, such as relative path traversal issues in the connector.php file.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive system information, specifically the full server-side filesystem path of the application root. This information could be used to exploit other vulnerabilities that depend on path information, such as relative path traversal.

Reproduction

To reproduce this vulnerability, send a GET request to the /setup page of the Xerte Online Toolkits application. The response will include the root_path value, which reveals the full server-side filesystem path of the application root. This path can then be used to exploit path-dependent vulnerabilities, such as relative path traversal in the connector.php file.

Remediation

Users are advised to update to Xerte Online Toolkits version 3.15.0 or later, and to run the upgrade.php script after updating. The latest version can be downloaded from the Xerte Community Downloads page.