Company News

RecordFusion Local File Inclusion Vulnerability (CVE-2019-19264)
By: james@securenetworkinc.com
November 26, 2019

SNT has found a Local File Inclusion (LFI) vulnerability in the /log and /hist parameter that allows an attacker to view the server’s content through a web browser. This is caused due to improper sanitization of user-supplied input. Depending on severity, this vulnerability can lead to Code execution, denial of service, or sensitive information disclosure. The affected version of is unknown and SNT assumes it affects all versions of the product. 

The web application RecordFusion is vulnerable to an LFI by inputting characters after the following directory:

  • http://127.0.0.1/logger/log?/../../../../../

  • http://127.0.0.1/logger/hist?/../../../../../


recordfusioneventlogger.png

By navigating to the crafted URL, an attacker is able to see the C:/ drive directory.

Remediation: The vendor has not responded to requests. 

Edgar Bustos, OSCP
Information Security Engineer
Secure Network Technologies, Inc

Download the Emergency Response Handbook

So you’re under attack. It will happen to every business and professional at some time or another. Be prepared with our Emergency Response Handbook – it will walk you through the first actions you need to take when experiencing a cyber attack.