OsClass 3.4.1 - Local File Inclusion (LFI)
Advisory ID: RO-14-003
CVE ID: CVE-2014-6308
Severity: Critical
Vendor: OsClass
Product: OsClass
Version: 3.4.1


Overview #

A Local File Inclusion (LFI) vulnerability exists in OsClass version 3.4.1 that allows remote attackers to include arbitrary files from the server.


Vulnerability Details #

Affected Versions: 3.4.1 and earlier

Root Cause: Insufficient validation of user-supplied input allows attackers to manipulate file paths and include local files.


Exploitation Requirements #

    No authentication required
    Direct access to the vulnerable endpoint

Impact #

Remote attackers can exploit this vulnerability to:

    Read sensitive configuration files
    Access database credentials
    View source code
    Potentially achieve remote code execution

Proof of Concept #

Details available upon request.


Solution #

Upgrade to a patched version of OsClass that includes proper input validation for file inclusion operations.


References #

    CVE-2014-6308

Timeline:

    [2014-01-01] - Discovered

Credits: Omar Kurt