Source: cna@vuldb.com
A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. This vulnerability affects the function downloadShowFile of the file /file/downloadShowFile.action of the component com.yeqifu.sys.controller.FileController. The manipulation of the argument path leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Critical vulnerability discovered in yeqifu carRental allows for remote path traversal, potentially enabling attackers to access and exfiltrate sensitive files from the server. This unpatched vulnerability poses a significant risk of data breach and system compromise due to the public availability of the exploit and lack of vendor response.
Step 1: Payload Delivery: An attacker crafts a malicious HTTP request to /file/downloadShowFile.action containing a crafted path parameter. This parameter will include path traversal sequences (e.g., ../../../etc/passwd).
Step 2: Request Processing: The downloadShowFile function receives the request and extracts the path parameter.
Step 3: Path Manipulation (Flawed): The function fails to properly validate or sanitize the path parameter. It directly uses the attacker-controlled path to construct the file path to be accessed.
Step 4: File Access: The server attempts to access the file specified by the manipulated path (e.g., /etc/passwd).
Step 5: Information Disclosure: The server returns the contents of the requested file (e.g., /etc/passwd) to the attacker, leading to information disclosure.
The vulnerability lies within the downloadShowFile function in /file/downloadShowFile.action of the FileController. The function fails to properly sanitize or validate the path argument, allowing an attacker to craft a malicious payload containing path traversal sequences (e.g., ../) to navigate outside the intended directory. This leads to the ability to read arbitrary files on the server, including configuration files, sensitive data, and potentially even system files, depending on the server's file system permissions. The root cause is a lack of input validation and sanitization of the path parameter before it is used to access files. This allows for the manipulation of the file path, leading to unauthorized access.
While no specific APTs are directly linked in the provided information, the public availability of the exploit and the nature of the vulnerability make it attractive to various threat actors, including those seeking to establish initial access or steal sensitive data. The vulnerability could be incorporated into existing malware campaigns. CISA KEV: Not applicable at this time, but likely to be added if exploitation becomes widespread.
Monitor web server logs for suspicious requests to /file/downloadShowFile.action containing path traversal sequences (e.g., ../).
Implement a Web Application Firewall (WAF) with rules to detect and block path traversal attempts.
Analyze network traffic for unusual file download activity from the affected server.
Monitor file access logs for unexpected access to sensitive files (e.g., /etc/passwd, configuration files).
Use file integrity monitoring tools to detect unauthorized changes to critical system files.
Implement robust input validation and sanitization of the path parameter within the downloadShowFile function. This should include blacklisting or whitelisting characters and sequences that could be used for path traversal (e.g., .., /).
Restrict the file access permissions of the web server user to only the necessary directories.
Implement a defense-in-depth strategy, including a WAF and intrusion detection/prevention systems.
If possible, update to a patched version of the software. Since rolling release, this may require manual code review and patching.
Review and harden the server's file system permissions to prevent unauthorized access to sensitive files.
Consider using a content delivery network (CDN) to serve static files and reduce the attack surface.