Introduction

Xerte Online Toolkits is an Open-Source web application that supports content creation for online learning platforms and is written in PHP. I became aware of this software after some coworkers encountered this application during a red team engagement. In that particular instance, our client had inadvertently left the setup directory and scripts accessible on the internet. Since the application is open-source, I set up a test environment locally with Apache and MySQL. My primary focus was determining what threat the setup directories being exposed presented. The installation instructions explicitly advise against leaving this exposed publicly as it could be overwritten by subsequent operations. Ultimately, my research did not identify any non-destructive ways to exploit the setup scripts. Instead, I began to investigate other functions of the application in various user contexts. My investigation revealed some critical issues that could allow an attacker to gain remote code execution on the underlying host.

Anyone who runs a server connected to the internet can tell you that they get hammered all day every day by bots. Sometimes, a human is poking at things looking for vulnerable applications. Quite a while ago, I created a simple php script to randomly pretend to be one of the 3 web servers (Apache, Nginx, IIS).

Due to copyright, I am not sharing the source code from the html page for IIS. They are pretty easy to find without downloading/installing the package. The NGINX source is available on Github I tried to find the one served by Apache2, but could not find the page I wanted. Fortunately, it happened to be available on one of my other servers so I just copied it over from there.