Erjinzhi 10OA File Path Traversal Vulnerability

A critical file path traversal vulnerability has been identified in Erjinzhi 10OA version 1.0. The issue resides in the '/view/file.aspx' endpoint, where insufficient validation of the 'file' parameter allows attackers to traverse directories and access sensitive system files. Exploitation of this vulnerability has been demonstrated by reading the Windows configuration file 'C:\windows\win.ini', indicating a lack of restrictions on accessing critical system paths. This vulnerability could lead to unauthorized access to sensitive files, such as configuration data and credentials, and may facilitate further server compromise when combined with other vulnerabilities.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive files on the server, including configuration files, credentials, and log data. Such access could potentially lead to a broader compromise of the server, especially if other vulnerabilities are present.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/view/file.aspx' endpoint with a crafted 'file' parameter value that includes '../' sequences. This manipulation bypasses directory restrictions and accesses files outside the intended directory. The vulnerability can be exploited without any authentication.

Remediation

It is recommended to implement proper input validation and sanitization for the 'file' parameter, restricting access to a safe directory. Additionally, use secure file access methods that prevent path traversal, and ensure that the Content-Type header is accurately set based on the requested file type.