Vulnerability Description: Multiple Relative Path Traversal – CWE-23
Software Version: 1.6.4
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31841
CVSv3:
Severity:
Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli
The web server fails to sanitize the input data allowing remote unauthenticated attackers to read arbitrary files on the filesystem.
Step-by-step instructions and PoC
An unauthenticated user can read arbitrary files using multiple functionalities of the web application. An attacker can change the “filename” parameter in the POST request by adding sequences of ‘../’ in order to reference files outside the intended directory. Since the application does not check in which directory the file will be read, an attacker can access any file on the filesystem, including application source code, configuration files and so on.
Affected Endpoints
· URL: https://[HOST]/[NODE-NAME/supervoip/api/v1/reportTraceBCCAS/buttonViewReportTraceBCCAS/[ANY-STRING]/[ANY-STRING]/it
· URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/logTrace/buttonViewLogTrace/[ANY-STRING]/[ANY-STRING]/it
· URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/reportTrace/buttonViewReportTrace/[ANY-STRING]/[ANY-STRING]/it
· URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/logTraceBCCAS/buttonViewLogTraceBCCAS/[ANY-STRING]/[ANY-STRING]/it
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
