CVE-2018-25178
📋 TL;DR
Easyndexer 1.0 contains an unauthenticated arbitrary file download vulnerability that allows attackers to retrieve sensitive system files by manipulating the file parameter in POST requests to showtif.php. This affects all installations of Easyndexer 1.0, exposing configuration files, initialization files, and potentially other sensitive data.
💻 Affected Systems
- Easyndexer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers download critical system files like /etc/passwd, /etc/shadow, database credentials, or application configuration files, leading to complete system compromise, privilege escalation, or data exfiltration.
Likely Case
Attackers download web application configuration files containing database credentials, API keys, or other sensitive information, enabling further attacks against the application or related systems.
If Mitigated
If proper network segmentation and access controls are in place, attackers may only access non-critical files or be blocked from reaching the vulnerable endpoint.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and other sources. Attack requires only HTTP POST requests with manipulated file parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: None
Restart Required: No
Instructions:
No official patch exists. Remove or disable Easyndexer 1.0 entirely. Consider migrating to alternative software.
🔧 Temporary Workarounds
Delete showtif.php
linuxRemove the vulnerable file from the web server
rm /path/to/easyndexer/showtif.php
Restrict access to showtif.php
allUse web server configuration to block access to the vulnerable endpoint
# Apache: <Location "/easyndexer/showtif.php">
# Order deny,allow
# Deny from all
# </Location>
# Nginx: location ~ /easyndexer/showtif\.php$ { deny all; }
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the Easyndexer instance
- Deploy a web application firewall (WAF) with rules to block requests containing path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Send POST request to /easyndexer/showtif.php with file parameter containing path traversal (e.g., file=../../../etc/passwd). If response contains system file content, system is vulnerable.Check Version:
Check Easyndexer version in application files or documentation. Typically found in README or configuration files.Verify Fix Applied:
Attempt the same POST request after implementing workarounds. Should receive 403/404 error or no file content.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to showtif.php with file parameter containing path traversal patterns (../)
- Unusual file access patterns from web server process
Network Indicators:
- POST requests to showtif.php with file parameter exceeding normal length or containing suspicious characters
SIEM Query:
source="web_server_logs" AND uri="*showtif.php*" AND method="POST" AND (param="*../*" OR param="*..\\*" OR param="*etc/passwd*")