CVE-2023-0316

Local File Read through Improper Filename Validation

Vulnerability Explanation

This vulnerability occur because there is no filename validation on logo_image_login and logo_image_header on import and export function. Attacker can use path traversal payload to read local file such as /etc/passwd or froxlor config file.

Vulnerability Type

Local File Read

CVSS

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N (Medium)

Vendor

froxlor

Affected Version

froxlor version 0.10.38.3 until 2.x

Proof of Concept

Go to import function on "Settings"
Modify filename on logo_image_login or logo_image_header with path traversal payload , e.g "../../../../../etc/passwd?v=1672300384"
After successfully imported file, go to "Settings" and go to Export page
Click Download/Export Settings, then leaked file will be on panel.logo_image_login.image_data key on json file in base64 encoded format

Exploit Code

# TBU

Tested On

froxlor version: 2.0.0-beta1

Disclosure Timeline

2022-12-29: Vulnerability discovered.
2023-12-31: Vulnerability fixed.
2023-01-14: Vulnerability reported to the MITRE corporation.
2023-01-14: CVE has been assigned.
2023-01-16: Public disclosure of the vulnerability.

Researcher

Achmad Zaenuri Dahlan Putra (kos0ng)

Additional Information

Last updated 2 years ago

hashtagVulnerability Explanation

hashtagVulnerability Type

hashtagCVSS

hashtagVendor

hashtagAffected Version

hashtagProof of Concept

hashtagExploit Code

hashtagTested On

hashtagDisclosure Timeline

hashtagResearcher

hashtagAdditional Information