| Название | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal |
|---|
| Описание | The getPicThumb() method is vulnerable to directory traversal attacks. User input is decoded but not sanitized, allowing attackers to access files outside the intended upload directory.
Vulnerable Code:
public function getPicThumb(string $pic_filename): ResponseInterface
{
helper('file');
$pic_filename = rawurldecode($pic_filename); // Decodes URL encoding
$file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
$images = glob("./uploads/item_pics/$pic_filename"); // VULNERABLE: Direct concatenation
$base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
if (sizeof($images) > 0) {
$image_path = $images[0];
$thumb_path = $base_path . "_thumb.$file_extension";
if (sizeof($images) < 2 && !file_exists($thumb_path)) {
$image = Services::image('gd2');
$image->withFile($image_path)
->resize(52, 32, true, 'height')
->save($thumb_path);
}
$this->response->setContentType(mime_content_type($thumb_path));
$this->response->setBody(file_get_contents($thumb_path)); // Reads arbitrary file
}
return $this->response;
}
Even though the possibility of changing the file name to include Path Traversal payloads is low. But there is a possibility this could lead to a successful attack. It is recommended to include proper parsing and sanitization of the file names before they are handled by the source code. Recommendation is to randomize the file names and store it on the server side. Also, basename() can be used to strip the directory components. |
|---|
| Пользователь | Kamran Saifullah (UID 4218) |
|---|
| Представление | 11.04.2026 00:15 (2 месяцы назад) |
|---|
| Модерация | 18.05.2026 06:38 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 364435 [opensourcepos Open Source Point of Sale до 3.4.2 Items.php getPicThumb pic_filename обход каталога] |
|---|
| Баллы | 17 |
|---|