Horos 2.1.0 Web Portal Remote Information Disclosure Exploit

Title: Horos 2.1.0 Web Portal Remote Information Disclosure Exploit
Advisory ID: ZSL-2016-5387
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 16.12.2016
Summary
Horos™ is an open-source, free medical image viewer. The goal of the Horos Project is to develop a fully functional, 64-bit medical image viewer for OS X. Horos is based upon OsiriX and other open source medical imaging libraries.
Description
Horos suffers from a file disclosure vulnerability when input passed thru the URL path is not properly verified before being used to read files. This can be exploited to include files from local resources with directory traversal attacks.
Vendor
Horos Project - https://www.horosproject.org
Affected Version
2.1.0
Tested On
macOS 12.10.2 (Sierra)
macOS 12.10.1 (Sierra)
Vendor Status
[15.12.2016] Vendor informed.
PoC
horos_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40930/
[2] https://packetstormsecurity.com/files/140194
[3] https://cxsecurity.com/issue/WLB-2016120105
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/119862
Changelog
[16.12.2016] - Initial release
[20.12.2016] - Added reference [1], [2] and [3]
[24.12.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk