Four-Faith Water Conservancy Informatization Platform Path Traversal Vulnerability

A critical path traversal vulnerability has been identified in Four-Faith Water Conservancy Informatization Platform version 1.0. The issue arises in the download.do endpoint, where the application improperly validates the fileName parameter, allowing unauthorized users to read arbitrary files from the server. This vulnerability can be exploited remotely, potentially leading to the disclosure of sensitive information such as configuration files.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, enabling attackers to access sensitive server files, including configuration data and other critical information.

Reproduction

To reproduce this vulnerability, send a GET request to the download.do endpoint with a crafted fileName parameter that includes directory traversal sequences. This will bypass the application's file access restrictions and allow access to arbitrary files on the server.