CVE-2017-17876

Vulnerability

Biometric Shift Employee Management System version 3.0 contains a path traversal vulnerability in the file download functionality. When the user parameter is set to download, the path parameter is not properly sanitized, allowing an attacker to specify arbitrary file paths. The vulnerable endpoint is accessible via index.php without authentication. [1]

Exploitation

An attacker can exploit the vulnerability by sending an HTTP GET request to the application with user=download and a desired file path in the path parameter. No authentication or prior knowledge of the system is required. The PoC demonstrates a request like http://localhost/[PATH]/index.php?user=download&name=VerAyari.Ver&path=[FILE], where [FILE] can be a path such as /etc/passwd to read the password file on a Linux server. [1]

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files from the web server's file system. This can lead to disclosure of sensitive information such as configuration files containing database credentials, application source code, or other confidential data. The impact is limited to file disclosure (confidentiality breach); the vulnerability does not allow file modification or code execution. [1]

Mitigation

As of the disclosure date (December 2017), no official patch or updated version has been released by the vendor for version 3.0. Users are advised to restrict access to the vulnerable endpoint via web application firewall rules or input validation until an update is provided. The vendor’s site is https://www.shiftsystems.net/. The vulnerability is listed on Exploit-DB (EDB-ID 43394) and may be used in assessments. [1]