Erxes Path Traversal Vulnerability in importHistoriesCreate GraphQL Mutation Allows Arbitrary File Write

A path traversal vulnerability has been identified in Erxes versions prior to 1.6.2. This vulnerability allows authenticated attackers to write to arbitrary files on the system via the importHistoriesCreate GraphQL mutation. The issue arises because user-controlled data is not properly sanitized, enabling attackers to manipulate file paths and overwrite sensitive files.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, which could be used to overwrite files with malicious payloads that are executed by the application.

Reproduction

To reproduce this vulnerability, an authenticated attacker can upload a file to an S3 bucket that they control, including a payload designed to be executed as a script. Afterward, the attacker can invoke the importHistoriesCreate GraphQL mutation, which will download the file from S3 to the local file system of the Erxes application. The path traversal payload can be used to specify a location that overwrites the /data/enabled-services.js file, which is executed by the application.

Remediation

Users are advised to update to Erxes version 1.6.3, which addresses this vulnerability by sanitizing filenames to prevent path traversal.