Erxes Path Traversal Vulnerability Allowing Arbitrary File Read Prior to Version 1.6.2

A path traversal vulnerability has been identified in Erxes versions prior to 1.6.2, allowing unauthenticated attackers to read arbitrary files from the system via the '/read-file' endpoint. The vulnerability arises because user-controlled input is not properly sanitized, enabling attackers to manipulate file paths and access sensitive files, such as those containing environment variables with authentication secrets.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, with potential access to sensitive information such as database credentials and other application secrets.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/read-file' endpoint with a 'key' query parameter that includes a path traversal payload, such as '../../../../some/secret/file'. This request can be made using tools like curl or Postman.

Remediation

Users are advised to update to Erxes version 1.6.3, which addresses the path traversal vulnerability by sanitizing user-controlled filenames to prevent the inclusion of unwanted characters.