Headline
CVE-2022-28478: Responsible-Vulnerability-Disclosure/CVE-2022-28478 at main · looCiprian/Responsible-Vulnerability-Disclosure
SeedDMS 6.0.17 and 5.1.24 are vulnerable to Directory Traversal. The “Remove file” functionality inside the “Log files management” menu does not sanitize user input allowing attackers with admin privileges to delete arbitrary files on the remote system.
Description
SeedDMS versions 6.0.18 and 5.1.25 are prone to path traversal during delete operation. The “Remove file” functionality inside the “Log files management” menu does not sanitize user input allowing attackers to delete arbitrary files on the remote system.
POC
Vulnerable code
Injecting payload
File system view before and after the exploit
Remediation
Sanitize user input using “basename” php function
Reference
https://sourceforge.net/p/seeddms/code/ci/d68c922152e8a8060dd7fc3ebdd7af685e270e36/
Timeline
- [26/03/2022] Vulnerability evidence sent to the vendor
- [26/03/2022] Vulnerability confirmed by the vendor
- [26/03/2022] Vulnerability fixed by the vendor
Notes
Thanks to the main developer of SeedDMS, Uwe Steinmann, that immediately acknowledged the vulnerability and fixed it.