OS4ED openSIS Directory Traversal Vulnerability Allowing Arbitrary File Retrieval

A directory traversal vulnerability has been identified in OS4ED openSIS versions 8.0 through 9.1. This vulnerability allows remote, authenticated attackers to retrieve arbitrary files from the host system. Exploitation involves sending a crafted POST request to the 'Modules.php' endpoint, specifically targeting the 'messaging/SentMail.php' module. The request must include a 'filename' parameter that is manipulated to traverse directories and access sensitive files, such as the '/etc/passwd' file.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including configuration files or other data that could be used for further attacks.

Reproduction

To reproduce this vulnerability, send a POST request to '/Modules.php?modname=messaging/SentMail.php&modfunc=save&filename' . Include a 'filename' parameter that uses directory traversal sequences ('../') to navigate the file system and access a targeted file, such as '/etc/passwd'.