Description

File attachment under salaries module can be downloaded and viewed by anyone without authentication by just knowing the full path (/assets/FileUploads/2022/staff_2/*) and the predictable filename (contains date (YYYY-MM-DD) and a random 6 digit number which can be easily enumerated by automated tool using list of all possible 6 digit combinations). File attachment under salaries module may contain confidential salary information and other sensitive data of the intended owner.

Example: http://X.X.X.X/assets/FileUploads/2022/staff_2/payslip_2023-04-05_021223.jpg

Replication

1. Send the above endpoint to burp intruder.
2. Position the payload to the last 6 digit number,
   example: GET /rosariosis/assets/FileUploads/2022/staff_2/payslip_2023-04-05_§021223§.jpg
3. Add your payload list containing all possible 6 digit combinations.
4. Start the attack and all requests that returns 200 status can be harvest.
   Note: you can also configure to add the filename date (YYYY-MM-DD) for enumeration.