VLab Researcher discovered File Include Vulnerability on Cyberoams Central Console v2.x

Vulnerability-Lab Team discovered today a  File Include Vulnerability on  Cyberoams Central Console v2.x Appliance Application. Cyberoam Central Console (CCC) appliances offer the flexibility of hardware CCC appliances and virtual CCC appliances to provide centralized security management across distributed Cyberoam UTM appliances, enabling  high levels of security for MSSPs and large enterprises. With Layer 8 Identity-based policies and centralized reports and alerts, CCC hardware and virtual appliances provide granular security and visibility into remote and branch offices across the globe.

The vulnerability allows an attacker to request local system or application files (example:telnet-service jsp). Successful exploitation can result in dbms or service/appliance compromise via file include vulnerability. The bug is located on the "context=Online_help&file=" parameter of the appliance application. The security risk of the file include vulnerability is estimated as high(+). After the advisory production a proof of concept video has been released by Benjamin Kunz Mejri (Founder: Vulnerability-Lab) on youtube.

Cyberoam has been notified by the laboratory about the critical security issue 3 days ago and accepted it 2 days later. Cyberoam will soon provide (week) a patch/fix for all customers.

Cyberoam CCC [Customers] BUG ID: CCC-859

Advisory: http://www.vulnerability-lab.com/get_content.php?id=405
Demo Video: http://www.vulnerability-lab.com/get_content.php?id=411