OS4ED openSIS Directory Traversal Vulnerability Allowing Arbitrary File Retrieval

A directory traversal vulnerability has been identified in OS4ED openSIS versions 8.0 through 9.1. This vulnerability allows remote, authenticated attackers to retrieve arbitrary files from the host system. Exploitation involves sending a crafted POST request to the 'Modules.php' endpoint, specifically targeting the 'messaging/Inbox.php' module. Attackers can manipulate the 'filename' parameter to include '../' sequences, effectively traversing directories and accessing sensitive files, such as the '/etc/passwd' file.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including configuration files or other data that could be used for further attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the 'Modules.php' endpoint with the 'modname' parameter set to 'messaging/Inbox.php', the 'modfunc' parameter set to 'save', and the 'filename' parameter crafted to include directory traversal sequences ('../') followed by the name of the target file. This can be done using a tool like Burp Suite or Postman, or through a custom script that automates the process.