Lokomedia CMS Local File Inclusion Scanner

Lokomedia CMS is a content management system used in various environments by website administrators to manage content, including text, images, and other multimedia files, across web pages. It is commonly employed by small to medium-sized businesses, educational institutions, and personal blog sites to streamline content editing and publishing. Users of Lokomedia CMS benefit from an intuitive interface that simplifies web management tasks, allowing them to focus more on content creation and less on technical maintenance. The software is designed for flexibility, allowing users to customize it according to their specific content needs. Its open-source nature invites contributions and improvements from developers worldwide, thereby expanding its capabilities and security features over time. As it is web-based, Lokomedia CMS can be accessed remotely, allowing users to manage their content from anywhere with an internet connection.

The Local File Inclusion (LFI) vulnerability allows attackers to include files from the server, granting them access to sensitive files and data. This flaw typically arises when a web application dynamically includes files based on user inputs without adequate validation or sanitization. An attacker can exploit this by manipulating parameters to load unauthorized files, potentially gaining access to critical information such as configuration files, logs, and other sensitive data. LFI vulnerabilities are particularly dangerous as they can lead to full server compromise if further chained with other exploits. Knowing how to detect LFI helps in preventing unauthorized access that could lead to severe data breaches and unauthorized server control. Properly addressing LFI involves understanding its impact on application security, especially where user inputs are not correctly handled.

The technical details surrounding the LFI vulnerability in Lokomedia CMS include the presence of a vulnerable endpoint, specifically the downlot.php script, which improperly handles file paths from user-provided inputs. An attacker can exploit this endpoint by appending relative paths to access sensitive files like '/etc/passwd', using sequences such as '../../../../../../../../../../etc/passwd' within the input parameter. Another vulnerability detail involves the HTTP response from the server, where successful exploitation yields certain status indicators, such as a 200 HTTP response code and specific patterns within the body, like 'application/proses'. The template uses a combination of status codes, regex patterns in the response body, and specific header words to confirm the presence of the vulnerability during scanning. It requires an understanding of how file paths in web applications are constructed and the lack of input sanitization that leads to unauthorized file access.

When left unchecked, the LFI vulnerability in Lokomedia CMS can have dire consequences, permitting attackers to escalate privilege or execute arbitrary code on the server. Malicious actors could access confidential and system-critical files, such as database credentials or user data stored within configuration files, leading to data breaches or unauthorized data manipulation. Exploiting this vulnerability can further facilitate secondary attacks, such as remote code execution, which could fully compromise the web server and its applications. Such exploitations can undermine user trust, lead to legal repercussions, or cause significant financial and reputational loss for affected organizations. The persistence of such vulnerabilities creates opportunities for attackers to conduct long-term surveillance or take control of server operations.

REFERENCES

• https://cxsecurity.com/issue/WLB-2018070116
• https://github.com/kangkuswae/CMS-Lokomedia