CVE-2023-31181
📋 TL;DR
This path traversal vulnerability in WJJ Software's InnoKB Server and InnoKB/Console allows attackers to access files outside the intended directory by manipulating file paths. It affects version 2.2.1 of these products, potentially exposing sensitive system files to unauthorized users.
💻 Affected Systems
- WJJ Software InnoKB Server
- WJJ Software InnoKB/Console
📦 What is this software?
Innokb by Wjjsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, /etc/shadow, or Windows SAM files, potentially leading to credential theft and lateral movement.
Likely Case
Unauthorized access to configuration files, logs, or application data stored on the server, potentially exposing sensitive information.
If Mitigated
Limited impact with proper file permissions and network segmentation, restricting access to critical system files.
🎯 Exploit Status
Path traversal vulnerabilities typically require minimal technical skill to exploit using tools like curl or web browsers with crafted URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.2 or later
Vendor Advisory: https://www.gov.il/en/Departments/faq/cve_advisories
Restart Required: Yes
Instructions:
1. Download latest version from vendor. 2. Backup configuration and data. 3. Stop InnoKB services. 4. Install updated version. 5. Restart services. 6. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or input validation to block path traversal sequences
# Example mod_security rule for Apache:
SecRule ARGS "\.\./" "id:1001,phase:2,deny,status:403,msg:'Path Traversal Attempt'
File Permission Restriction
allRun InnoKB with minimal file system permissions
# Linux: chown -R innokb:innokb /var/lib/innokb
# Windows: Configure service account with limited privileges
🧯 If You Can't Patch
- Implement strict network segmentation to isolate InnoKB servers from sensitive systems
- Deploy web application firewall with path traversal detection rules
🔍 How to Verify
Check if Vulnerable:
Test with crafted URL like http://server:port/../../etc/passwd or similar path traversal attemptsCheck Version:
# Windows: Check program files directory or registry
# Linux: dpkg -l | grep innokb or rpm -qa | grep innokbVerify Fix Applied:
Attempt same path traversal tests after patch - should return 403/404 errors instead of file contents📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing ../ or ..\ sequences
- Access to unexpected file paths in application logs
- 403/404 errors followed by successful file access
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f)
- Unusual file access patterns from single IP
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")