OpenSIS 8.0 'modname' - Directory/Path Traversal

vendor:

OpenSIS

by:

Eric Salario

6.5

CVSS

MEDIUM

Directory/Path Traversal

CWE

Product Name: OpenSIS

Affected Version From: 8

Affected Version To: 8

Patch Exists: NO

Related CWE: CVE-2021-40651

CPE: a:os4ed:opensis:8.0

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2021

OpenSIS 8.0 ‘modname’ – Directory/Path Traversal

The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.

Mitigation:

Apply the vendor-provided patch or upgrade to a non-vulnerable version.

Source

Exploit-DB raw data:

# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal
# Date: 09-02-2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
# CVE: CVE-2021-40651

The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.

To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file.

1. Login as "Parent"

2. Open a web proxy such as BurpSuite and capture the requests

3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=

4. Check the response

PoC: https://youtu.be/wFwlbXANRCo