PMB Platform Temporary File Persistence Vulnerability

A vulnerability exists in the PMB platform in versions 4.0.10 and above, allowing attackers to persist temporary files on the server. This issue arises in the file upload functionality at the '/pmb/authorities/import/iimport_authorities' endpoint. When a file is uploaded, the server creates a temporary file that is normally deleted after a POST request is sent to the same endpoint. However, an attacker can intercept and delay this POST request, preventing the temporary file from being removed.

Impact

Exploitation of this vulnerability allows for the unauthorized persistence of files on the server, which could potentially be used for malicious purposes.

Reproduction

To reproduce this vulnerability, upload a file through the '/pmb/authorities/import/iimport_authorities' endpoint. After the temporary file is created, intercept the automated POST request that would normally delete the file. By delaying or trapping this request, the temporary file can be left on the server, effectively exploiting the vulnerability.