
openSIS Classic 9.3 - Authenticated path traversal in SentMail attachment download
5,3
Medium
Discovered by
External researcher
Summary
Full name
openSIS Classic 9.3 - Authenticated path traversal in SentMail attachment download
Code name
State
Public
Release date
Affected product
openSIS Classic
Vendor
openSIS
Affected version(s)
9.3
Vulnerability name
Lack of data validation - Path Traversal
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS v4.0 base score
5.3
Exploit available
Yes
CVE ID(s)
Description
openSIS Classic 9.3 contains an authenticated path traversal vulnerability in the legacy messaging sent-mail attachment download flow.
An authenticated user with access to the M 063. Lack of data validation - Path Traversalessaging module can send a crafted POST request to the AJAX module loader for messaging/SentMail.php. The vulnerable code takes the attacker-controlled filename parameter, prepends ./assets/, and passes the resulting path to a file download helper. Because only backslashes are replaced, Unix-style traversal sequences such as ../ remain intact and can be resolved by PHP outside the intended assets directory.
Successful exploitation allows an authenticated low-privileged user, including a student, parent, teacher, or staff account with Messaging access, to read arbitrary files that are readable by the web server process. This can expose configuration files, local system files, database credentials, or other sensitive server-side data.
Vulnerability
Root cause
The AJAX endpoint loads menu-allowed modules for authenticated users.
Ajax.php:30-34starts the request and includes common functions.Ajax.php:96-103validates the URL and appliesstrip_tagsrecursively to request values.Ajax.php:106appliessqlSecurityFilter()only tomodname.Ajax.php:234-258loadsmodules/$modnamewhen the module appears in the menu.modules/messaging/Menu.php:30-59exposesmessaging/SentMail.phpto admin, teacher, parent, and student profiles.
The query-string traversal guard does not inspect POST body parameters.
validateQueryString(curPageURL())inspects the current URL, but the exploit placesfilenamein the POST body:The URL itself contains no
../, so the body value reaches the included module.SentMail.phpbuilds a filesystem path from untrusted input.modules/messaging/SentMail.php:282-290:This replaces Windows backslashes only. It does not reject
../, URL-normalized traversal, absolute paths, or paths whose canonical location is outside./assets/.The download helper reads and prints the resolved file.
modules/messaging/SentMail.php:293-374checksis_readable($file), opens the path withfopen($file, 'r'), reads it withfread(), and prints each buffer to the HTTP response.
Confirmed source-to-sink path
Source: attacker-controlled POST body parameter
filename.Dispatcher:
Ajax.phpvalidates the URL and includesmodules/messaging/SentMail.phpbecause the Messaging menu allows it.Weak normalization:
SentMail.phpreplaces\with spaces but leaves/and../untouched.Path construction:
./assets/is concatenated with the attacker-controlled filename.Sink:
output_file()reads the resolved path and returns its contents as an attachment.
Related vulnerable code
The same attachment download pattern also exists in modules/messaging/Inbox.php:575-584 and modules/messaging/Inbox.php:870-918. Public CVEs already cover the Inbox path in older openSIS versions. This report focuses on the still-present SentMail.php path in openSIS Classic 9.3.
PoC
Preconditions
openSIS Classic Community Edition 9.3.
A valid authenticated user account with access to Messaging.
Application reachable at
http://<HOST>/opensis/.
Reproduction
Log in as a low-privileged user that can access Messaging, such as a student, parent, teacher, or staff user.
Send the following request with the authenticated session cookie:
On Windows targets, use forward slashes:
Adjust the number of
../segments to match the deployment path depth.
Expected result:
The server responds with an attachment named
hack.txt.The attachment body contains the requested file contents outside the intended
assetsdirectory.
Evidence of Exploitation
Video of exploitation:
Static evidence:

Our security policy
We have reserved the ID CVE-2026-11944 to refer to this issue from now on.
System Information
openSIS Classic
Version: 9.3 Community Edition
Operating System: Any deployment running the affected openSIS Classic messaging module
References
GitHub Repository: https://github.com/OS4ED/openSIS-Classic
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Daniel Celis, an independent security researcher.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Follow-up with vendor
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.













