CVE-2023-0316
Local File Read through Improper Filename Validation
Vulnerability Explanation
This vulnerability occur because there is no filename validation on logo_image_login and logo_image_header on import and export function. Attacker can use path traversal payload to read local file such as /etc/passwd or froxlor config file.
Vulnerability Type
Local File Read
CVSS
Vendor
Affected Version
froxlor version 0.10.38.3 until 2.x
Proof of Concept
Go to import function on "Settings"
Modify filename on logo_image_login or logo_image_header with path traversal payload , e.g
"../../../../../etc/passwd?v=1672300384"
After successfully imported file, go to "Settings" and go to Export page
Click Download/Export Settings, then leaked file will be on panel.logo_image_login.image_data key on json file in base64 encoded format
Exploit Code
Tested On
froxlor version: 2.0.0-beta1
Disclosure Timeline
2022-12-29: Vulnerability discovered.
2023-12-31: Vulnerability fixed.
2023-01-14: Vulnerability reported to the MITRE corporation.
2023-01-14: CVE has been assigned.
2023-01-16: Public disclosure of the vulnerability.
Researcher
Achmad Zaenuri Dahlan Putra (kos0ng)
Additional Information
Last updated