OpenWGA Path Traversal Vulnerability in TMLScript API WGA.File

A path traversal vulnerability has been identified in OpenWGA version 7.11.12 Build 737. This issue arises within the TMLScript API, specifically in the WGA.File component, where improper handling of file paths allows for traversal outside of intended directories. An authenticated user with Admin or Design rights can exploit this vulnerability to write files to a web-served directory. If a server-executable file, such as a JSP, is written to the OpenWGA webroot, it can be accessed via HTTP, leading to remote code execution on the server under the application server account.

Impact

Exploitation of this vulnerability allows for remote code execution on the server hosting OpenWGA. The executed code runs with the privileges of the application server user, potentially leading to unauthorized access to application data and configuration, disruption of services, and in some cases, defacement of the application. Additionally, depending on the network environment and host hardening, there may be opportunities for lateral movement within the network.

Reproduction

To reproduce this vulnerability, authenticate to the OpenWGA Admin Client with a role that has permission to execute TMLScript. Once authenticated, use the WGA.File API to create a file in a directory that is served by the web server. After verifying that the file has been successfully written, a reverse shell payload can be uploaded by writing a JSP file into the webroot. This file can then be accessed over HTTP, triggering the execution of the uploaded JSP payload on the server.

Remediation

Short-term mitigations include restricting the WGA.File API to prevent writes to served directories, denying dangerous file extensions by default, and ensuring the OpenWGA process user does not have write permissions to executed paths. Long-term fixes could involve implementing a TMLScript sandbox that rejects absolute paths and webroot targets, as well as separating application and content directories with strict permissions.