List all files in arbitrary folder in SmartVista Cardgen version 3.28.0 (CVE-2022-38614)

CVE-2022-38614

Exploit Title: Business Logic lead to list all files in arbitrary folder in SmartVista Cardgen version 3.28.0

Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services

Vendor Homepage: https://www.bpcbt.com/smartvista-solutions/

Affected Version(s): SmartVista Cardgen version 3.28.0

Description: At SmartVista Cardgen version 3.28.0, an authenticated user can abuse IGB Files (or OutfileService) feature to list and download all files in arbitrary folder by modifying value of PATH to target folder at System Directories feature

Steps to reproduce:

- Step 1: At menu System -> System Directories, an authenticated user can modify IBGFormatter SERVICE (or OutfileService) to specific directory in PATH parameter.

- Step 2: Access https://[URL]/svcl/pages/services/ibgformatter/ibgfiles.xhtml (menu CardGen -> Services -> IBG Formatter -> IBG Files) to see the result