Shenzhen Sixun Software Sixun Shanghui Group Business Management System Unauthorized File Download Vulnerability

A vulnerability allowing unauthorized file downloads has been identified in Shenzhen Sixun Software's Sixun Shanghui Group Business Management System version 4.10.24.3. This issue arises in the '/ExportFiles/' interface, where files or directories can be accessed without proper authorization. The vulnerability can be exploited remotely, but it requires a complex exploitation process.

Impact

Exploitation of this vulnerability leads to unauthorized access to files, potentially disclosing sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/ExportFiles/' endpoint, appending the desired filename. The request must include a Referer header that points to a specific WebPages/Dcm/DOSheet.aspx URL, along with the appropriate User-Agent and Accept headers. Once the request is sent, the server responds with the requested file, demonstrating the unauthorized access.