| Название | Industrial Application Software - IAS Canias ERP 8.03-- Directory traversal / Arbitrary file read |
|---|
| Описание | A vulnerability classified as critical was found in Industrial Application Software caniasERP 8.03. This affects the doAction function of the Java
RMI Interface (default TCP port 27499). The manipulation of the argument m_strSourceFileName in iasRequestFileEvent with direction=0 (SERVER_TO_CLIENT)
leads to unauthenticated arbitrary file read.
It is possible to initiate the attack remotely without any form of authentication. No user interaction is required for exploitation.
An unauthenticated remote attacker can send a crafted iasRequestFileEvent to iasServerRemoteInterface.doAction() specifying any absolute file path in the m_strSourceFileName field without providing a session ID or credentials. The server reads and returns the requested file using the privileges of the caniasERP service account. No authentication check, authorization control, path canonicalization, or allowed-directory whitelist is enforced.
Successful exploitation allows reading of arbitrary files accessible to the service account. Verified on Windows Server 2019 — the following files
were successfully read without authentication:
- C:\Windows\win.ini
- C:\Windows\System32\drivers\etc\hosts
ServerSettings.ias may contain plaintext or weakly protected database credentials and application secrets, significantly increasing the impact
of this vulnerability.
The vulnerability was identified through reverse engineering of the caniasERP client JAR files. These JAR files are publicly distributed
without authentication via the application's JNLP launch endpoint (caniasout.jnlp), which is accessible over HTTP without any credentials.
Decompilation of the JAR files revealed the iasRequestFileEvent class structure, the m_strSourceFileName and m_nDirection field names, the RMI
binding name format (XXXXXXXXS2OUT), and the complete absence of any server-side authentication or path validation on the FILETRANSFER handler. |
|---|
| Источник | ⚠️ https://gist.github.com/0xb1lal/3885c69998516685e3ea833403b9db2b |
|---|
| Пользователь | b1lal (UID 97312) |
|---|
| Представление | 20.04.2026 16:51 (1 месяц назад) |
|---|
| Модерация | 09.05.2026 09:19 (19 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 362432 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface iasRequestFileEvent m_strSourceFileName обход каталога] |
|---|
| Баллы | 20 |
|---|