Some questions about rce in kaltura about telekom-security.github.io HOT 2 CLOSED

Hi @d4wner,
if you downloaded the Kaltura server software in the time after the advisory was released, you will have downloaded a patched version which is not vulnerable anymore. You can try manually reverting the patch made here.

The 'index.php'-path may be mapped via htaccess file, so I'm not sure if you can call it any other way. To test it you can install (and old) kaltura software and then access this path over the started web server.

For CVE-2017-1414 there is no separate PoC needed. You can take the payload generated by the other PoC I published and just pass it in the admin panel - again only for the vulnerable 13.1.x version.

Greetings

from telekom-security.github.io.

Well, firstly , thx for your response.

But I just regard e:/www/server/ as the webroot, I exactly mean I want to know where is webroot of your environment.
After all , there is no .htaccess file in the folder e:/www/server/, and there is no "index.php" file in this folder.
So I must find the absolute path of the webroot exactly, and I could to find a way to visit the url like what you have done, sir.

By the way, how can I find the admin panel ?
I just could not find the relative path of it.
I would find it easily if you give me the example admin-pannel url like this:
http://localhost/index.php/admin-panel

Or could you just give me a note url about how to login into the admin-panel?

I'm sorry to disturb you of these issues but I really need it.
Thx very much!

from telekom-security.github.io.