Voyager Local File Inclusion (LFI) Scanner

Voyager is a popular open-source admin interface package used with Laravel applications to streamline web application management. It's often utilized by developers and companies to create complex dashboards, manage databases, and automate backend processes. Voyager's user-friendly interface and flexibility make it an ideal choice for web applications requiring robust admin features. Additionally, the software is popular in educational and business environments due to its ability to simplify database interactions and extend Laravel's capabilities. Many small to medium businesses rely on Voyager for its ease of use and customizable options, enhancing efficiency in managing web content. Its modular approach allows developers to easily create custom functionalities tailored to specific project requirements.

Local File Inclusion (LFI) vulnerabilities occur when a web application includes files based on user-controlled input without proper validation. This can lead to an attacker including malicious files or unintended local files in the application’s functionality. In the case of Voyager, this specific version (1.3.0) is susceptible to LFI due to improper handling of path parameters. Attackers can exploit this vulnerability to access sensitive server files or execute unintended scripts. The risk is significant as it can provide unauthorized access to the application's filesystem, potentially leading to further exploitation.

The vulnerability exists due to inadequate validation of user inputs in the 'path' parameter within the Voyager admin interface. The GET method allows the parameter value to traverse directories, potentially reaching sensitive files like '/etc/passwd'. This occurs because the input is not sanitized, allowing directory traversal sequences. Consequently, a crafted URL can manipulate the path traversal to include arbitrary files from the server's filesystem. By leveraging this, an attacker can obtain confidential information or inject malicious files, affecting the application's integrity.

If exploited, this LFI vulnerability could expose sensitive data, including configuration files and user credentials, thereby compromising privacy and security. Additionally, attackers might use the access to gain further control over the server, execute arbitrary code, or conduct lateral movements within a network. This can lead to significant data breaches, unauthorized access, defacement, or service disruption. Moreover, attackers might exploit it to plant malicious scripts or escalate privileges, posing security risks to the entire server environment.

REFERENCES

• https://www.exploit-db.com/exploits/47875