| tiêu đề | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal |
|---|
| Mô tả | The getPicThumb() method is vulnerable to directory traversal attacks. User input is decoded but not sanitized, allowing attackers to access files outside the intended upload directory.
Vulnerable Code:
public function getPicThumb(string $pic_filename): ResponseInterface
{
helper('file');
$pic_filename = rawurldecode($pic_filename); // Decodes URL encoding
$file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
$images = glob("./uploads/item_pics/$pic_filename"); // VULNERABLE: Direct concatenation
$base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
if (sizeof($images) > 0) {
$image_path = $images[0];
$thumb_path = $base_path . "_thumb.$file_extension";
if (sizeof($images) < 2 && !file_exists($thumb_path)) {
$image = Services::image('gd2');
$image->withFile($image_path)
->resize(52, 32, true, 'height')
->save($thumb_path);
}
$this->response->setContentType(mime_content_type($thumb_path));
$this->response->setBody(file_get_contents($thumb_path)); // Reads arbitrary file
}
return $this->response;
}
Even though the possibility of changing the file name to include Path Traversal payloads is low. But there is a possibility this could lead to a successful attack. It is recommended to include proper parsing and sanitization of the file names before they are handled by the source code. Recommendation is to randomize the file names and store it on the server side. Also, basename() can be used to strip the directory components. |
|---|
| Người dùng | Kamran Saifullah (UID 4218) |
|---|
| Đệ trình | 11/04/2026 00:15 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 18/05/2026 06:38 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 364435 [opensourcepos Open Source Point of Sale đến 3.4.2 Items.php getPicThumb pic_filename duyệt thư mục] |
|---|
| điểm | 17 |
|---|