LogicalDOC Enterprise Directory Traversal Vulnerability Allowing Arbitrary File Disclosure

A post-authentication file disclosure vulnerability has been identified in LogicalDOC Enterprise version 7.7.4. This vulnerability allows attackers to read arbitrary files by exploiting unverified 'suffix' and 'fileVersion' parameters. The issue arises from improper validation of these parameters, which can be manipulated to perform directory traversal attacks. The vulnerability can be exploited through the '/thumbnail' and '/convertpdf' endpoints to access sensitive system files such as 'win.ini' and '/etc/passwd'.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive system files, potentially exposing critical information such as user credentials and system configurations.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/thumbnail' or '/convertpdf' endpoints with crafted 'suffix' or 'fileVersion' parameters that include directory traversal sequences. This request can be made using a web browser or a tool like curl or Postman.