Authenticated Directory Traversal Vulnerability

[Gurleyen]

Hello,

I am writing to inform you of an authenticated directory traversal vulnerability I have discovered in openSIS-Classic Version 9.1.

Vulnerability Details:

•	Description: The vulnerability arises due to improper validation of user-supplied input in certain file path parameters. An authenticated user can exploit this by injecting directory traversal sequences (double encode) (e.g., %2e%252e%252f ) into these parameters, allowing access to files outside the intended directories.
•	Impact: This could lead to unauthorized access to sensitive files on the server’s filesystem, including configuration files and database credentials. Such access may result in information disclosure, privilege escalation, or further compromise of the application and server.

Steps to Reproduce:

1.	Log in to the application with valid user credentials.
2.	Navigate to the functionality that handles file operations( for this /DownloadWindow.php)
3.	for poc (in linux) /DownloadWindow.php?filename=%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252f%2e%252e%252fetc%2fpasswd

I wanted to bring this to your immediate attention so that appropriate measures can be taken to address this issue. I am available to provide additional details or assist in resolving this vulnerability.

Details: https://github.com/Gurleyen/MY-CVE-References/tree/main/Opensis

[aziz0x48]

Hey @Gurleyen ,
Just to let you know, this was already discovered and assigned a CVE-2023-38879 by another reseacher.

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38879