LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities

Title: LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
Advisory ID: ZSL-2018-5450
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 11.02.2018
Summary
LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.
Description
The application suffers from multiple post-auth file disclosure vulnerability when input passed thru the 'suffix' and 'fileVersion' parameters is not properly verified before being used to include files. This can be exploited to read arbitrary files from local resources with directory traversal attacks.
Vendor
LogicalDOC Srl - https://www.logicaldoc.com
Affected Version
7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Tested On
Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41
Vendor Status
[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.
PoC
logicaldoc_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/139087
[2] https://www.exploit-db.com/exploits/44019/
[3] https://packetstormsecurity.com/files/146352
[4] https://cxsecurity.com/issue/WLB-2018020146
Changelog
[11.02.2018] - Initial release
[21.02.2018] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk