← Advisories

LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities

High
Advisory ID
ZSL-2018-5450
Release Date
11 February 2018
Vendor
LogicalDOC Srl - https://www.logicaldoc.com
Affected Version
7.7.4, 7.7.3, 7.7.2, 7.7.1, 7.6.4, 7.6.2, 7.5.1, 7.4.2, 7.1.1
CVE
CVE-2019-25258
Tested On
Microsoft Windows 10, Linux Ubuntu 16.04, Java 1.8.0_161, Apache-Coyote/1.1, Apache Tomcat/8.5.24, Apache Tomcat/8.5.13, Undisclosed 8.41
Summary

LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.

Description

The application suffers from multiple post-auth file disclosure vulnerability when input passed thru the 'suffix' and 'fileVersion' parameters is not properly verified before being used to include files. This can be exploited to read arbitrary files from local resources with directory traversal attacks.

Proof of Concept
logicaldoc_lfi.txtTXT
Disclosure Timeline
26.01.2018Vulnerabilities discovered.
30.01.2018Vendor contacted.
07.02.2018No response from the vendor.
08.02.2018Vendor contacted again.
10.02.2018No response from the vendor.
11.02.2018Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/139087
[2]https://www.exploit-db.com/exploits/44019/
[3]https://packetstormsecurity.com/files/146352
[4]https://cxsecurity.com/issue/WLB-2018020146
[5]https://www.cve.org/CVERecord?id=CVE-2019-25258
Changelog
11.02.2018Initial release
21.02.2018Added reference [1], [2], [3] and [4]
23.03.2026Added reference [5]