#####################################################################################

#

# Ardent Security Advisory

#Original Disclosure: https://www.ardent-security.com/advisory/ASA-2021-06/ASA-2021-06_CVE-2021-29398.txt

#

#####################################################################################

#

# Product:          NorthStar Club Management 6.3

# Vendor:           Northstar Technologies Inc

# URL:                  https://www.globalnorthstar.com/

# ASA ID:             ASA-2021-06

# CVE ID:             CVE-2021-29398

#CWE ID:             CWE-35 – Path Traversal

# Subject:           Arbitrary Filesystem Browsing Via Directory Traversal

# Severity:          High

# Author:            Alexandre LaRocque, CEO <[email protected]>

# Date:                 2022-01-27

#

#####################################################################################

Description:

In the NorthStar web application, the “/Common/NorthFileManager/fileManagerObjects.jsp” file has a parameter named “folderPath” that is vulnerable to directory traversal. This allows any remote unauthenticated user to freely browse and list the directories across the entire filesystem of the host of the web application.  This vulnerability was identified by Ardent Security experts while performing penetration testing in Toronto, Canada.

Technical Description:

Due to the dominant market share of the product, no proof-of-concept code is provided.

Affected version(s):

Only NorthStar Club Management 6.3 was tested. Older versions could be vulnerable.

Workaround / Fix:

It is unknown if this vulnerability has been fixed by the vendor.

Vulnerability Severity:

CVSS v3.1 Metrics [2]:

– CVSS Base Score: 7.5 (High)

– CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline:

2021-03-18: Vulnerability discovery

2021-03-27: Contacted vendor about the vulnerability

2021-03-27: Vendor was given a 90-days period

2021-06-27: Vendor was given an additional  90-days period

2021-09-27: Vendor was given an additional  90-days period

2022-01-27: Public disclosure

Reference:

[1] https://www.ardent-security.com/advisory/ASA-2021-06

[2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H&version=3.1