**Name of the Vulnerable Software and Affected Versions:**

FOG versions 1.5.10.1673 and below

**Description:**

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. An authentication bypass vulnerability exists, allowing an attacker to perform an unauthenticated database dump and extract a full SQL database without credentials. The vulnerability also allows for directory listing, Server-Side Request Forgery (SSRF), and Open Redirection attacks. The `/fog/management/export.php` endpoint is vulnerable; a POST request to this endpoint can trigger the database dump. Additionally, versions 1.5.10.34 and below are vulnerable to Remote Code Execution (RCE) via a similar POST request to `/fog/management/export.php?filename=$(id)&type=pdf`. A GET request to `/fog/service/getversion.php?url=<PATH>` can trigger SSRF, and a GET request to `/fog/status/getfiles.php?path=<DIR>` can cause directory listing.

**Recommendations:**

Upgrade to the latest version of either the dev-branch or working-1.6 branch.

Close access to `/fog/service/`, `/fog/status/`, and `/fog/management/` for external IP addresses using a Web Application Firewall (WAF) or Intrusion Detection System (IDS).