Login Sign Up

CVE-2020-27191

7.5 HIGH

📋 TL;DR

CVE-2020-27191 is a Local File Inclusion vulnerability in LionWiki that allows unauthenticated attackers to read arbitrary files on the server by manipulating the 'f1' parameter in index.php. This affects all LionWiki installations before version 3.2.12. Note that LionWiki is no longer maintained by its original developer.

💻 Affected Systems

Products:
  • LionWiki
Versions: All versions before 3.2.12
Operating Systems: All operating systems running LionWiki
Default Config Vulnerable: ⚠️ Yes
Notes: This vulnerability affects the core LionWiki software regardless of configuration. The software is no longer maintained by the original developer.

📦 What is this software?

Lionwiki by Lionwiki

View all CVEs affecting Lionwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files like configuration files, password files, or source code, potentially leading to credential theft, privilege escalation, or further system compromise.

🟠

Likely Case

Unauthenticated attackers reading web server accessible files, potentially exposing configuration details, user data, or application source code.

🟢

If Mitigated

If proper web application firewalls and file permission controls are in place, impact is limited to reading only files accessible to the web server user.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests with crafted parameters. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.12

Vendor Advisory: http://lionwiki.0o.cz/index.php?page=Main+page

Restart Required: No

Instructions:

1. Download LionWiki 3.2.12 or later from the official website. 2. Backup your current installation. 3. Replace all files with the new version. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to reject or sanitize the f1 parameter containing directory traversal sequences

Modify index.php to validate the f1 parameter before processing

Web Application Firewall Rule

all

Block requests containing directory traversal patterns in the f1 parameter

Add WAF rule to block requests with '../', '..\', or similar patterns in f1 parameter

🧯 If You Can't Patch

  • Implement strict file permissions to limit web server user access to sensitive files
  • Deploy a web application firewall with rules to detect and block LFI exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Test by accessing index.php?f1=../../../../etc/passwd (or similar local file path) and checking if file contents are returned

Check Version:

Check the version number in the LionWiki installation files or admin interface

Verify Fix Applied:

After patching, attempt the same LFI test and verify file contents are not returned

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with f1 parameter containing '../' or similar directory traversal patterns
  • Unusual file access patterns from web server process

Network Indicators:

  • HTTP requests with f1 parameter attempting directory traversal

SIEM Query:

web.url:*f1=*..* OR web.uri:*f1=*..*

📊 Metadata

CVE ID: CVE-2020-27191
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: November 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON