제출 #459908: InvoicePlane 1.6.1 Directory Traversal정보

제목InvoicePlane 1.6.1 Directory Traversal
설명### Detailed Summary of Directory Traversal Vulnerability **Vulnerability Description:** The InvoicePlane application is vulnerable to a directory traversal attack due to improper handling of the `invoice` parameter in the `download` method of the `Invoices.php` controller. This vulnerability arises because the application constructs file paths using user input without adequate sanitization, allowing attackers to manipulate the file path to access unintended directories and files on the server. Additionally, the root path is also vulnerable, exposing sensitive files like `.htaccess` without requiring authentication. **Impact:** Exploiting this vulnerability can have severe consequences. An attacker could potentially access sensitive files, such as configuration files containing database credentials or user invoices, leading to unauthorized data access and potential data breaches. For example, by accessing the `.htaccess` file, an attacker could gain insights into server configurations, which might be leveraged for further attacks. **Authenticated Attacker:** - **Vulnerable Endpoint:** `/invoices/download` - **Example Request to Access `.htaccess`:** ``` GET /invoices/download/.htaccess HTTP/1.1 Host: demo.invoiceplane.com Cookie: ip_csrf_cookie=fdca63bee9423987890245618577f2c9; ip_session=ds014sgtll8s3i6t49re6tlrslujb5ks ``` - **Received Response:** - **Status Code:** 200 OK - **Response Body Snippet:** ``` Deny from all ``` - **Explanation:** Accessing the `.htaccess` file through the `/invoices/download` endpoint confirms the vulnerability. An attacker with authenticated access could exploit this to access other sensitive files, potentially leading to data breaches or further exploitation of the server. **Unauthenticated Attacker:** - **Vulnerable Path:** `/htaccess` - **Example Request:** ``` GET /htaccess HTTP/1.1 Host: demo.invoiceplane.com ``` - **Received Response:** - **Status Code:** 200 OK - **Response Headers:** ``` Date: Wed, 04 Dec 2024 20:01:48 GMT Content-Length: 443 Last-Modified: Sat, 09 Dec 2023 08:45:30 GMT Etag: "1bb-60c0fb91d1e80" Accept-Ranges: bytes Cf-Cache-Status: DYNAMIC Server: cloudflare ``` - **Response Body Snippet:** ``` ### InvoicePlane htaccess <IfModule mod_rewrite.c> RewriteEngine On ### uncomment to force HTTPS # RewriteCond %{HTTPS} off # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d ### uncomment and adjust if installed in subdirectory # RewriteRule . /subfolder/index.php [L] RewriteRule . /index.php [L] </IfModule> ``` - **Explanation:** The `.htaccess` file is a configuration file used by the Apache web server to control access to directories and files. Exposing this file can reveal sensitive server configurations, such as access control rules, which can be exploited by attackers to bypass security measures or gain unauthorized access to restricted areas of the server. This issue is an additional concern beyond the primary vulnerability. **Vulnerable Code Snippet:** - **Location:** `Invoices.php` Controller - **Explanation:** The `download` method uses the `invoice` parameter directly in a file path without proper sanitization, leading to directory traversal. **Remediation:** - **Input Validation:** Implement strict input validation to ensure only valid file names are accepted. - **Sanitization:** Use functions like `basename()` to strip directory traversal sequences. - **Access Controls:** Configure the server to restrict access to sensitive files. - **Security Audits:** Conduct regular security audits to identify and remediate similar vulnerabilities. ### Credit This report was generated using Fuzz-e, an advanced vulnerability discovery and exploitation tool designed to assist penetration testers in identifying and exploiting security flaws effectively. By leveraging intelligent iterations and exploit improvement, Fuzz-e streamlines the penetration testing process, providing actionable insights for enhancing application security.
원천⚠️ https://owasp.org/www-community/attacks/Path_Traversal
사용자
 Dan_AC (UID 78862)
제출2024. 12. 10. AM 03:26 (2 연령 ago)
모더레이션2024. 12. 16. AM 10:32 (6 days later)
상태수락
VulDB 항목288537 [InvoicePlane 까지 1.6.1 invoices.php download 송장 디렉토리 순회]
포인트들20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!