search

OS4ED / openSIS-Classic

openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.
https://www.os4ed.com
218 stars 206 forks source link

Authenticated Directory Traversal Vulnerability #325

Open Gurleyen opened 1 week ago

Gurleyen commented 1 week ago

Hello,

I am writing to inform you of an authenticated directory traversal vulnerability I have discovered in openSIS-Classic Version 9.1.

Vulnerability Details:

•   Description: The vulnerability arises due to improper validation of user-supplied input in certain file path parameters. An authenticated user can exploit this by injecting directory traversal sequences (double encode) (e.g., %2e%252e%252f ) into these parameters, allowing access to files outside the intended directories.
•   Impact: This could lead to unauthorized access to sensitive files on the server’s filesystem, including configuration files and database credentials. Such access may result in information disclosure, privilege escalation, or further compromise of the application and server.

Steps to Reproduce:

1.  Log in to the application with valid user credentials.
2.  Navigate to the functionality that handles file operations( for this /DownloadWindow.php)
3.  for poc (in linux) /DownloadWindow.php?filename=%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252fetc%2fpasswd

I wanted to bring this to your immediate attention so that appropriate measures can be taken to address this issue. I am available to provide additional details or assist in resolving this vulnerability.

Details: https://github.com/Gurleyen/MY-CVE-References/tree/main/Opensis

aziz0x48 commented 1 week ago

Hey @Gurleyen , Just to let you know, this was already discovered and assigned a CVE-2023-38879 by another reseacher.

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38879