CVE-2024-1302: 7.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | CWE-200.
Software link: https://www.s-can.at/en/product/monitool/
Version: 4.6.3
@author: Guillermo García Molina
Description: In s:can moni:tools up to and including version 4.6.3, an unauthenticated attacker could download log files from the application, obtaining sensitive information stored in them.
In moni::tools device authenticated menu exists a functionality which purpose is downloading log files. However, it has been discovered that it is not needed to be authenticated to perform these requests and download these files, which are prone to contain sensitive information, such as internal directories or database errors.
In the following picture is shown the request performed to the endpoint log-logfile-download.x including the database log file /var/log/postgresql/postgresql-9.6-main.log in the file parameter. As it could be seen, no cookies are included in the headers request:
Once the unauthenticated request is performed, the following server response is received, including the postgresql-9.6-main.log file content.
Therefore, an incorrect access control vulnerability is found, allowing an unauthenticated attacker to download sensitive log files.