Aaluoxiang OA System Path Traversal Vulnerability in ProcedureController

A path traversal vulnerability has been identified in the Aaluoxiang OA System, specifically in the ProcedureController.java file. This vulnerability allows for arbitrary file read operations by exploiting the 'show/**' API route. The issue arises because the application does not properly validate user-supplied input in the request URI, enabling attackers to manipulate file paths and access sensitive information on the server. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files on the server, potentially leading to leakage of sensitive information.

Reproduction

To reproduce this vulnerability, deploy the Aaluoxiang OA System and log in to obtain a valid 'JSESSIONID' cookie. Then, send a GET request to the 'show/**' route, including a crafted file path that uses '../' sequences to traverse directories and access sensitive files, such as the 'passwd.txt' file.