CVE-2023-26956
📋 TL;DR
CVE-2023-26956 is an arbitrary file read vulnerability in onekeyadmin v1.3.9 that allows attackers to read sensitive files on the server via the /admin1/curd/code component. This affects all systems running the vulnerable version of onekeyadmin, potentially exposing configuration files, credentials, and other sensitive data.
💻 Affected Systems
- onekeyadmin
📦 What is this software?
Onekeyadmin by Onekeyadmin
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read critical system files like /etc/passwd, /etc/shadow, configuration files containing database credentials, and other sensitive data, leading to full system compromise.
Likely Case
Attackers would read application configuration files to obtain database credentials and other sensitive information, enabling further attacks like database access or lateral movement.
If Mitigated
With proper network segmentation and access controls, the impact would be limited to reading non-critical files within the application directory.
🎯 Exploit Status
The vulnerability is simple to exploit with publicly available proof-of-concept code. Attackers can send crafted requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.4.0 or later
Vendor Advisory: https://github.com/keheying/onekeyadmin/issues/4
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with the patched version. 4. Restart the web server/service.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse web server configuration to block access to /admin1/curd/code endpoint
# For Apache: add to .htaccess
RewriteRule ^admin1/curd/code - [F,L]
# For Nginx: add to server block
location ~ ^/admin1/curd/code { deny all; }
Implement authentication
allAdd authentication requirement for all admin endpoints
# Example for Apache basic auth
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the onekeyadmin interface
- Deploy a web application firewall (WAF) with rules to detect and block file read attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[target]/admin1/curd/code?file=/etc/passwd and check if it returns system filesCheck Version:
Check the version in the application interface or review the source code files for version indicatorsVerify Fix Applied:
After patching, attempt the same request and verify it returns an error or is blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /admin1/curd/code with file parameter
- Unusual file access patterns from web server process
Network Indicators:
- HTTP GET requests containing path traversal patterns in the file parameter
SIEM Query:
source="web_server" AND uri="/admin1/curd/code" AND (query="*file=*" OR query="*../*")