CVE-2023-0316

Vulnerability Explanation

This vulnerability occur because there is no filename validation on logo_image_login and logo_image_header on import and export function. Attacker can use path traversal payload to read local file such as /etc/passwd or froxlor config file.

Vulnerability Type

• Local File Read

CVSS

• CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N (Medium)

Vendor

• froxlor

Affected Version

• froxlor version 0.10.38.3 until 2.x

Proof of Concept

1. Go to import function on "Settings"

3. Modify filename on logo_image_login or logo_image_header with path traversal payload , e.g "../../../../../etc/passwd?v=1672300384"

5. After successfully imported file, go to "Settings" and go to Export page

7. Click Download/Export Settings, then leaked file will be on panel.logo_image_login.image_data key on json file in base64 encoded format

Exploit Code

# TBU

Tested On

• froxlor version: 2.0.0-beta1

Disclosure Timeline

• 2022-12-29: Vulnerability discovered.

• 2023-12-31: Vulnerability fixed.

• 2023-01-14: Vulnerability reported to the MITRE corporation.

• 2023-01-14: CVE has been assigned.

• 2023-01-16: Public disclosure of the vulnerability.

Researcher

• Achmad Zaenuri Dahlan Putra (kos0ng)

Additional Information

• https://huntr.com/bounties/c190e42a-4806-47aa-aa1e-ff5d6407e244/

• https://github.com/froxlor/froxlor/commit/983d9294603925018225d672795bd8b4a526f41e