| 제목 | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal |
|---|
| 설명 | The getPicThumb() method is vulnerable to directory traversal attacks. User input is decoded but not sanitized, allowing attackers to access files outside the intended upload directory.
Vulnerable Code:
public function getPicThumb(string $pic_filename): ResponseInterface
{
helper('file');
$pic_filename = rawurldecode($pic_filename); // Decodes URL encoding
$file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
$images = glob("./uploads/item_pics/$pic_filename"); // VULNERABLE: Direct concatenation
$base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
if (sizeof($images) > 0) {
$image_path = $images[0];
$thumb_path = $base_path . "_thumb.$file_extension";
if (sizeof($images) < 2 && !file_exists($thumb_path)) {
$image = Services::image('gd2');
$image->withFile($image_path)
->resize(52, 32, true, 'height')
->save($thumb_path);
}
$this->response->setContentType(mime_content_type($thumb_path));
$this->response->setBody(file_get_contents($thumb_path)); // Reads arbitrary file
}
return $this->response;
}
Even though the possibility of changing the file name to include Path Traversal payloads is low. But there is a possibility this could lead to a successful attack. It is recommended to include proper parsing and sanitization of the file names before they are handled by the source code. Recommendation is to randomize the file names and store it on the server side. Also, basename() can be used to strip the directory components. |
|---|
| 사용자 | Kamran Saifullah (UID 4218) |
|---|
| 제출 | 2026. 04. 11. AM 12:15 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 05. 18. AM 06:38 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 364435 [opensourcepos Open Source Point of Sale 까지 3.4.2 Items.php getPicThumb pic_filename 디렉토리 순회] |
|---|
| 포인트들 | 17 |
|---|