CVE-2020-10584
📋 TL;DR
This vulnerability allows remote attackers to perform directory traversal via the /admin/search_by.php script in Invigo Automatic Device Management (ADM), enabling them to read arbitrary files on the server accessible to the application's user. It affects Invigo ADM versions up to 5.0, potentially exposing sensitive data to unauthorized parties.
💻 Affected Systems
- Invigo Automatic Device Management (ADM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read critical system files (e.g., configuration files, passwords), leading to full system compromise or data exfiltration.
Likely Case
Attackers access sensitive application files or configuration data, potentially enabling further attacks or information disclosure.
If Mitigated
With proper access controls and network segmentation, impact is limited to file reads within the application's user permissions, reducing exposure.
🎯 Exploit Status
Exploitation involves simple HTTP requests with directory traversal payloads, making it easy for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 5.0 (specific version not detailed in references)
Vendor Advisory: https://www.on-x.com/sites/default/files/security_advisory_-_multiple_vulnerabilities_-_invigo_adm.pdf
Restart Required: Yes
Instructions:
1. Check the vendor advisory for the latest patched version. 2. Backup the system. 3. Apply the update from the vendor. 4. Restart the application or server as required.
🔧 Temporary Workarounds
Restrict access to /admin/search_by.php
allBlock or limit access to the vulnerable script using web server rules or network controls.
# Example for Apache: add to .htaccess
<Files "search_by.php">
Order Deny,Allow
Deny from all
</Files>
# Example for Nginx: add to server block
location /admin/search_by.php {
deny all;
}
Implement input validation
allAdd server-side validation to sanitize file path inputs in the script.
# Requires code modification; example in PHP:
$file = $_GET['file'];
if (strpos($file, '..') !== false || strpos($file, '/') !== false) {
die('Invalid input');
}
🧯 If You Can't Patch
- Isolate the affected system in a segmented network to limit exposure to trusted users only.
- Monitor and log access to the /admin/search_by.php script for suspicious activity and review regularly.
🔍 How to Verify
Check if Vulnerable:
Test by sending an HTTP request to /admin/search_by.php with a directory traversal payload (e.g., ?file=../../etc/passwd) and check if it returns sensitive file contents.Check Version:
Check the application version via its admin interface or configuration files; specific command not provided by vendor.Verify Fix Applied:
After patching, repeat the test; it should return an error or sanitized output instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /admin/search_by.php with patterns like '..' or '/' in parameters
- Unusual file access attempts in application logs
Network Indicators:
- Traffic to /admin/search_by.php with suspicious query strings from untrusted sources
SIEM Query:
Example: source="web_server" AND url="/admin/search_by.php" AND (query CONTAINS ".." OR query CONTAINS "/")