提交 #459908: InvoicePlane 1.6.1 Directory Traversal信息

标题InvoicePlane 1.6.1 Directory Traversal
描述### Detailed Summary of Directory Traversal Vulnerability **Vulnerability Description:** The InvoicePlane application is vulnerable to a directory traversal attack due to improper handling of the `invoice` parameter in the `download` method of the `Invoices.php` controller. This vulnerability arises because the application constructs file paths using user input without adequate sanitization, allowing attackers to manipulate the file path to access unintended directories and files on the server. Additionally, the root path is also vulnerable, exposing sensitive files like `.htaccess` without requiring authentication. **Impact:** Exploiting this vulnerability can have severe consequences. An attacker could potentially access sensitive files, such as configuration files containing database credentials or user invoices, leading to unauthorized data access and potential data breaches. For example, by accessing the `.htaccess` file, an attacker could gain insights into server configurations, which might be leveraged for further attacks. **Authenticated Attacker:** - **Vulnerable Endpoint:** `/invoices/download` - **Example Request to Access `.htaccess`:** ``` GET /invoices/download/.htaccess HTTP/1.1 Host: demo.invoiceplane.com Cookie: ip_csrf_cookie=fdca63bee9423987890245618577f2c9; ip_session=ds014sgtll8s3i6t49re6tlrslujb5ks ``` - **Received Response:** - **Status Code:** 200 OK - **Response Body Snippet:** ``` Deny from all ``` - **Explanation:** Accessing the `.htaccess` file through the `/invoices/download` endpoint confirms the vulnerability. An attacker with authenticated access could exploit this to access other sensitive files, potentially leading to data breaches or further exploitation of the server. **Unauthenticated Attacker:** - **Vulnerable Path:** `/htaccess` - **Example Request:** ``` GET /htaccess HTTP/1.1 Host: demo.invoiceplane.com ``` - **Received Response:** - **Status Code:** 200 OK - **Response Headers:** ``` Date: Wed, 04 Dec 2024 20:01:48 GMT Content-Length: 443 Last-Modified: Sat, 09 Dec 2023 08:45:30 GMT Etag: "1bb-60c0fb91d1e80" Accept-Ranges: bytes Cf-Cache-Status: DYNAMIC Server: cloudflare ``` - **Response Body Snippet:** ``` ### InvoicePlane htaccess <IfModule mod_rewrite.c> RewriteEngine On ### uncomment to force HTTPS # RewriteCond %{HTTPS} off # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d ### uncomment and adjust if installed in subdirectory # RewriteRule . /subfolder/index.php [L] RewriteRule . /index.php [L] </IfModule> ``` - **Explanation:** The `.htaccess` file is a configuration file used by the Apache web server to control access to directories and files. Exposing this file can reveal sensitive server configurations, such as access control rules, which can be exploited by attackers to bypass security measures or gain unauthorized access to restricted areas of the server. This issue is an additional concern beyond the primary vulnerability. **Vulnerable Code Snippet:** - **Location:** `Invoices.php` Controller - **Explanation:** The `download` method uses the `invoice` parameter directly in a file path without proper sanitization, leading to directory traversal. **Remediation:** - **Input Validation:** Implement strict input validation to ensure only valid file names are accepted. - **Sanitization:** Use functions like `basename()` to strip directory traversal sequences. - **Access Controls:** Configure the server to restrict access to sensitive files. - **Security Audits:** Conduct regular security audits to identify and remediate similar vulnerabilities. ### Credit This report was generated using Fuzz-e, an advanced vulnerability discovery and exploitation tool designed to assist penetration testers in identifying and exploiting security flaws effectively. By leveraging intelligent iterations and exploit improvement, Fuzz-e streamlines the penetration testing process, providing actionable insights for enhancing application security.
来源⚠️ https://owasp.org/www-community/attacks/Path_Traversal
用户
 Dan_AC (UID 78862)
提交2024-12-10 03時26分 (2 年前)
管理2024-12-16 10時32分 (6 days later)
状态已接受
VulDB条目288537 [InvoicePlane 直到 1.6.1 invoices.php download 发票 目录遍历]
积分20

Interested in the pricing of exploits?

See the underground prices here!