| Título | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal |
|---|
| Descrição | The getPicThumb() method is vulnerable to directory traversal attacks. User input is decoded but not sanitized, allowing attackers to access files outside the intended upload directory.
Vulnerable Code:
public function getPicThumb(string $pic_filename): ResponseInterface
{
helper('file');
$pic_filename = rawurldecode($pic_filename); // Decodes URL encoding
$file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
$images = glob("./uploads/item_pics/$pic_filename"); // VULNERABLE: Direct concatenation
$base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
if (sizeof($images) > 0) {
$image_path = $images[0];
$thumb_path = $base_path . "_thumb.$file_extension";
if (sizeof($images) < 2 && !file_exists($thumb_path)) {
$image = Services::image('gd2');
$image->withFile($image_path)
->resize(52, 32, true, 'height')
->save($thumb_path);
}
$this->response->setContentType(mime_content_type($thumb_path));
$this->response->setBody(file_get_contents($thumb_path)); // Reads arbitrary file
}
return $this->response;
}
Even though the possibility of changing the file name to include Path Traversal payloads is low. But there is a possibility this could lead to a successful attack. It is recommended to include proper parsing and sanitization of the file names before they are handled by the source code. Recommendation is to randomize the file names and store it on the server side. Also, basename() can be used to strip the directory components. |
|---|
| Utilizador | Kamran Saifullah (UID 4218) |
|---|
| Submissão | 11/04/2026 00h15 (há 2 meses) |
|---|
| Moderação | 18/05/2026 06h38 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 364435 [opensourcepos Open Source Point of Sale até 3.4.2 Items.php getPicThumb pic_filename Travessia de Diretório] |
|---|
| Pontos | 17 |
|---|