An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
An attacker sends a crafted HTTP POST request to the /Modules.php endpoint with parameters modname=messaging/Inbox.php, modfunc=save, and filename containing path traversal sequences (e.g., ../). The application does not properly validate the filename parameter value, which allows exiting the permitted directory and gaining access to arbitrary operating system files. The attack does not require authentication or user interaction, and can be performed remotely over the network.
An attacker can read, overwrite, or create arbitrary files accessible to the web application process, which may lead to disclosure of configuration data, credential theft, or execution of malicious code on the server.
Apply patches available from the vendor according to the references. The vendor's repository is available at: https://github.com/OS4ED/openSIS-Classic. Until the fix is implemented, it is recommended to restrict access to the openSIS instance only to trusted IP addresses and monitor requests to the /Modules.php endpoint for anomalous filename parameter values.
Os4Ed openSIS in versions 8.0 to 9.1 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOs4ed Opensis
APPOs4Ed8.0 β 9.1
Related vulnerabilities
SQL Injection w OpenSIS via parametry student_id i TRANSFER[SCHOOL]
SQL Injection w Os4Ed openSIS β parametr filter_id
Path traversal w openSIS β nieautoryzowany dostΔp do plikΓ³w przez Modules.php
SQL Injection w OS4ED openSIS β parametr cp_id w module wiadomoΕci
SQL injection w OS4Ed openSIS via parametr groupid w Group.php