| عنوان | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal |
|---|
| الوصف | The getPicThumb() method is vulnerable to directory traversal attacks. User input is decoded but not sanitized, allowing attackers to access files outside the intended upload directory.
Vulnerable Code:
public function getPicThumb(string $pic_filename): ResponseInterface
{
helper('file');
$pic_filename = rawurldecode($pic_filename); // Decodes URL encoding
$file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
$images = glob("./uploads/item_pics/$pic_filename"); // VULNERABLE: Direct concatenation
$base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
if (sizeof($images) > 0) {
$image_path = $images[0];
$thumb_path = $base_path . "_thumb.$file_extension";
if (sizeof($images) < 2 && !file_exists($thumb_path)) {
$image = Services::image('gd2');
$image->withFile($image_path)
->resize(52, 32, true, 'height')
->save($thumb_path);
}
$this->response->setContentType(mime_content_type($thumb_path));
$this->response->setBody(file_get_contents($thumb_path)); // Reads arbitrary file
}
return $this->response;
}
Even though the possibility of changing the file name to include Path Traversal payloads is low. But there is a possibility this could lead to a successful attack. It is recommended to include proper parsing and sanitization of the file names before they are handled by the source code. Recommendation is to randomize the file names and store it on the server side. Also, basename() can be used to strip the directory components. |
|---|
| المستخدم | Kamran Saifullah (UID 4218) |
|---|
| ارسال | 11/04/2026 12:15 AM (2 أشهر منذ) |
|---|
| الاعتدال | 18/05/2026 06:38 AM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 364435 [opensourcepos Open Source Point of Sale حتى 3.4.2 Items.php getPicThumb pic_filename اجتياز الدليل] |
|---|
| النقاط | 17 |
|---|