PMB Local File Inclusion Scanner

PMB is a library management software used by librarians and educational institutions for cataloging, lending, and managing library operations effectively. It supports a wide range of functionalities such as online catalogs, digital resource management, and user account management to facilitate library services. Typically utilized by libraries, schools, universities, and research centers, PMB aims to streamline the library management process. The software allows users to access and manage vast volumes of bibliographic and digital resources efficiently. Its flexible architecture and comprehensive user management features make it a preferred choice for modern libraries. PMB helps maintain robust library systems, thus facilitating efficient resource management in educational and research settings.

Local file inclusion (LFI) is a type of vulnerability that allows attackers to include files on a server through web requests. This vulnerability occurs when a web application receives a file path from an attacker-controlled input. It can lead to sensitive file disclosure, code execution, and full server compromise in severe cases. LFI often stems from improper validation of user input, allowing attackers to manipulate file paths and access unauthorized system files. In PMB, the vulnerability could be exploited to read sensitive files like configuration files, which may contain credentials or other sensitive information. This vulnerability poses significant risks if not addressed, as it can serve as a gateway to more severe attacks.

The vulnerable endpoint in PMB's version 5.6 is located in the "getgif.php" script, which accepts a parameter "chemin" that specifies the file path to be retrieved. The issue arises due to insufficient input validation on the "chemin" parameter, allowing attackers to employ directory traversal techniques to access files outside the intended directory. By manipulating the input, attackers can navigate the server's file system to disclose sensitive files. The regex pattern "root:.*:0:0:" indicates that the script is capable of retrieving the "/etc/passwd" file, a critical system file in Unix-based systems. This endpoint's misconfiguration can thus be leveraged for unauthorized access to sensitive data.

Exploiting this LFI vulnerability can lead to unauthorized access to sensitive files on the server, potentially exposing confidential data that could be misused. An attacker could gain sufficient information to perform further attacks, such as accessing configuration files to extract database credentials, leading to potential data breaches. If combined with code execution vulnerabilities, the attacker might escalate their access to compromise the entire system. Furthermore, if attacker retrieves script files, they could expose additional vulnerabilities. This security flaw demands immediate attention to prevent data loss or corruption.

REFERENCES

• https://www.exploit-db.com/exploits/49054