Artica Web Proxy v4.30.000000
*Proxy Cache and Web filtering Appliance
Artica Proxy is a system that provide a sexy Web Ajax console in order manage a full Proxy server without any technical skill and with latest Squid technology.
It provide surls filtering with french Toulouse University and Artica database - over 30.000.000 websites.
There are many statistics per users or categories or websites and features in order to manage Internet bandwith.
It provides FireWall/QOS features.
Can work in Transparent mode or connected to an Activ Directory/OpenLDAP members database.
Authentication Bypass (CVE-2020-17506)
Artica provides an API interface in
fw.login.php for authentication. The parameter
apikey has a SQL injection vulnerability, an attacker can forge a
$_SESSION["uid"] by co-injection to log in any user. In the code,
$_SESSION["uid"] == "-100" indicates that the current user is
The next step is to construct a local array to commit to.
OS Command Injection (CVE-2020-17505)
After successfully bypassing authentication to get admin access, I tried this to find out more about the problem that allowed me to get root access.Where
cyurs.index.php is loaded with
cyurs.php and the unchecked parameter
service_cmds_peform is passed into the
service_cmds function and called.
Eventually I managed to execute the command with root privileges.
- 2020-08-08: Vulnerability found and submitted to vendor with no response.
- 2020-08-12: Submitted to CVE.
- 2020-08-13: CVE Confirms Vulnerability.