CVE-2024-28265
📋 TL;DR
IBOS v4.5.5 contains an arbitrary file deletion vulnerability in the LoginController.php component. This allows attackers to delete arbitrary files on the server, potentially disrupting system functionality or enabling further attacks. All systems running the vulnerable version are affected.
💻 Affected Systems
- IBOS
📦 What is this software?
Ibos by Ibos
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or enabling privilege escalation by removing security controls.
Likely Case
Service disruption through deletion of application files, configuration files, or user data, potentially causing downtime and data loss.
If Mitigated
Limited impact if proper file permissions and access controls prevent deletion of critical files, though application files remain vulnerable.
🎯 Exploit Status
Vulnerability is in a publicly accessible controller with simple file path manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://gitee.com/ibos/IBOS
Restart Required: No
Instructions:
Check the official IBOS repository for security updates. If no patch is available, consider upgrading to a newer version or implementing workarounds.
🔧 Temporary Workarounds
Restrict access to vulnerable endpoint
allBlock or restrict access to the vulnerable LoginController.php file via web server configuration or firewall rules.
# Apache: Add to .htaccess
<Files "LoginController.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~* /system/modules/dashboard/controllers/LoginController\.php$ {
deny all;
}
Implement file permission restrictions
linuxSet strict file permissions to prevent deletion of critical files.
# Linux: Protect critical directories
chmod -R 755 /var/www/html/
chown -R www-data:www-data /var/www/html/
# Set immutable flag on critical files
chattr +i /etc/passwd /etc/shadow /etc/hosts
🧯 If You Can't Patch
- Implement strict file system monitoring and alerting for unauthorized file deletion attempts.
- Deploy web application firewall (WAF) rules to block requests containing file path traversal patterns.
🔍 How to Verify
Check if Vulnerable:
Check if your IBOS installation is version 4.5.5 and if the file /system/modules/dashboard/controllers/LoginController.php exists without proper input validation.Check Version:
Check the version.php file or admin panel for IBOS version information.Verify Fix Applied:
Test if file deletion attempts through the vulnerable endpoint are blocked or properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- HTTP requests to LoginController.php with file path parameters
- Error logs showing file not found errors for system files
Network Indicators:
- HTTP POST/GET requests containing file paths to the vulnerable endpoint
- Unusual traffic patterns to the dashboard module
SIEM Query:
source="web_access_logs" AND (uri="/system/modules/dashboard/controllers/LoginController.php" OR uri LIKE "%LoginController.php%") AND (query_string LIKE "%file=%" OR query_string LIKE "%path=%")