Description: An authenticated user can abuse a Path Traversal vulnerability (resulting in file deletion if has write permissions) in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading.
Versions: Discovered in HSC Mailinspector 5.2.17-3 but applicable to all versions up to 5.2.18.
It was found while selecting emails, clicking on the Export button, and choosing the HTML option. The feature gathers data from the database, generates a temporary file, and returns the data for the user to download.
However, by passing the filename of the temporary file as a parameter, it's possible to change the location of the file and thereby read its content.
Payload:
/mailinspector/mliRealtimeEmails.php?exe=download&filename=../../../../../../../../etc/hostname&ext=html&mime=text%2Fhtml
