OS4ED openSIS Directory Traversal Vulnerability Allowing Arbitrary File Deletion

A directory traversal vulnerability has been identified in OS4ED openSIS versions 8.0 through 9.1. This vulnerability allows remote, authenticated attackers with admin or teacher roles to delete arbitrary files on the server. Exploitation involves sending a crafted POST request to the 'Modules.php' endpoint, including a base64-encoded filename of the target file to be deleted. Notably, deleting the 'Data.php' file disables database access, causing the application to malfunction.

Impact

Successful exploitation allows for arbitrary file deletion, which can disrupt application functionality and, in some cases, cause permanent data loss.

Reproduction

To reproduce this vulnerability, send a POST request to 'Modules.php' with the 'modname' parameter set to 'users/Staff.php'. Include the 'removefile' parameter with a base64-encoded filename of the file to be deleted. The request must also include 'title', 'include', 'modfunc', 'del', 'category_id', 'staff_id', and 'delete_ok' parameters. Ensure the account used has 'admin' or 'teacher' privileges.