LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities

2018-02-11T00:00:00
ID ZSL-2018-5450
Type zeroscience
Reporter Gjoko Krstic
Modified 2018-02-11T00:00:00

Description

Title: LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
Advisory ID: ZSL-2018-5450
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 11.02.2018

Summary

LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.

Description

The application suffers from multiple post-auth file disclosure vulnerability when input passed thru the 'suffix' and 'fileVersion' parameters is not properly verified before being used to include files. This can be exploited to read arbitrary files from local resources with directory traversal attacks.

Vendor

LogicalDOC Srl - <https://www.logicaldoc.com>

Affected Version

7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1

Tested On

Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41

Vendor Status

[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.

PoC

logicaldoc_lfi.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/139087>
[2] <https://www.exploit-db.com/exploits/44019/>
[3] <https://packetstormsecurity.com/files/146352>
[4] <https://cxsecurity.com/issue/WLB-2018020146>

Changelog

[11.02.2018] - Initial release
[21.02.2018] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;