CVE-2024-34471 PoC — HSC Cybersecurity HC Mailinspector 路径遍历漏洞

Source

Associated Vulnerability

Readme

# CVE-2024-34471

**Description:** An authenticated user can abuse a Path Traversal vulnerability (resulting in file deletion if has write permissions) in the `mliRealtimeEmails.php` file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the `mliRealtimeEmails.php` file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading.

**Versions:** Discovered in HSC Mailinspector 5.2.17-3 but applicable to all versions up to 5.2.18.

## Proof of Concept

It was found while selecting emails, clicking on the Export button, and choosing the HTML option. The feature gathers data from the database, generates a temporary file, and returns the data for the user to download.

However, by passing the filename of the temporary file as a parameter, it's possible to change the location of the file and thereby read its content. 

> Payload: `/mailinspector/mliRealtimeEmails.php?exe=download&filename=../../../../../../../../etc/hostname&ext=html&mime=text%2Fhtml`

![](path-traversal.png)

File Snapshot

 [4.0K]  /data/pocs/3e3ff34efd1e475dc045c81f4ba15897fa8c3db7
├── [ 71K]  path-traversal.png
└── [1.2K]  README.md

0 directories, 2 files

Remarks