Sourcecodester Client Database Management System V1.0 has a directory traversal vulnerability #3
Description
Sourcecodester Client Database Management System V1.0 has a directory traversal vulnerability
NAME OF AFFECTED PRODUCT(S)
Client Database Management System
Vendor Homepage
https://www.sourcecodester.com/php/17514/client-database-management-system.html
AFFECTED AND/OR FIXED VERSION(S)
DengXun
Vulnerable File
/cdm/database/
/cdm/build/
/cdm/uploads/
VERSION(S)
v1.0
Software Link
https://www.sourcecodester.com
PROBLEM TYPE
Vulnerability Type
directory traversal
Root Cause
A directory traversal vulnerability was discovered in the "Client Database Management System" project. The cause of this vulnerability is that the developer did not configure the web directory with reasonable permissions, which allowed attackers to access files in the directory without authorization, causing information leakage. In severe cases, it can lead to the leakage of all files in the web directory.
Impact
Attackers can exploit this directory traversal vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.
DESCRIPTION
During the security review of the "Client Database Management System", I discovered a medium severity directory traversal vulnerability in the system. The vulnerability is due to insufficient validation of user authorization input to the web directory, allowing an attacker to maliciously access the directory. As a result, the attacker can gain unauthorized access to the database, modify or delete data, and access sensitive information. Immediate remediation is required to ensure the system is secure and protect data integrity.
No login or authorization is required to exploit this vulnerability
Vulnerability details and POC
Payload:
Access any folder on the site
/cdm/database/
/cdm/build/
/cdm/uploads/
The following is a screenshot of the POC for obtaining data
Suggested repair
1.Use Whitelisting for Allowed Paths
Only allow access to specific, predefined file paths or file names.
ALLOWED_FILES = ['profile.jpg', 'report.pdf']
if requested_file not in ALLOWED_FILES:
return "Access Denied"
2.Normalize and Validate File Paths:
Use secure functions to normalize the file path and ensure it stays within the intended directory.
import os
base_dir = '/var/www/app/uploads/'
requested_path = os.path.normpath(os.path.join(base_dir, user_input))
if not requested_path.startswith(base_dir):
return "Access Denied"
3.Avoid Using User Input Directly in File Paths:
Never directly concatenate or pass user-controlled input into file paths or system commands.