Chanjet TPlus Arbitrary File Read Scanner
Detects 'Arbitrary File Read' vulnerability in Chanjet TPlus.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
24 days 20 hours
Scan only one
URL
Toolbox
-
Chanjet TPlus is a comprehensive business management software widely used by enterprises for finance and supply chain management solutions. Developed by Chanjet, the software offers modules for accounting, sales, purchasing, inventory, and production management. It is particularly popular among small to medium-sized businesses for its efficiency in integrating business processes. Businesses use Chanjet TPlus to streamline operations and improve financial accuracy. The software supports various configurations and scalability options to adapt to diverse business needs.
An Arbitrary File Read vulnerability allows a malicious actor to read sensitive files from the server without authorization. This type of vulnerability can expose critical data such as passwords, configuration files, and private keys. Attackers exploit such vulnerabilities to gather valuable information for further attacks on the system. The threat lies in unauthorized access to files, potentially leading to data breaches.
The vulnerability in Chanjet TPlus is located within the DownloadProxy.aspx endpoint. Attackers can manipulate the 'Path' parameter to access files outside the intended directory. By exploiting a path traversal technique, attackers can read sensitive files like Web.Config. The vulnerable endpoint does not properly sanitize input, allowing path manipulation leading to unintended file access.
Exploiting this vulnerability can lead to significant security breaches, including exposure of sensitive information and system configuration data. If attackers read configuration files, they might uncover database connection strings, encryption keys, and other critical information. This can facilitate further exploitation of the system, potentially leading to unauthorized data access or manipulation.
REFERENCES
