Scada-LTS Path Traversal Vulnerability in Project Import Component

A path traversal vulnerability has been identified in Scada-LTS versions through 2.7.8.1, specifically within the project import functionality. The issue arises in the 'Common.getHomeDir' method of 'ZIPProjectManager.java', where insufficient validation of ZIP entry names allows for traversal sequences to be exploited. This manipulation can lead to arbitrary file overwrites in locations under the user's home directory, typically the Tomcat base directory. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary file writes under the user's home directory, which can be used to overwrite UI assets, potentially introduce malicious SVGs for stored cross-site scripting attacks, or modify other resources accessed by users.

Reproduction

To reproduce this vulnerability, authenticate as an administrator in Scada-LTS. Create a ZIP file containing a payload that exploits the path traversal vulnerability by including a file with a name that traverses out of the intended directory. Upload this ZIP file through the project's import feature. After the import, the overwritten file can be found in the Scada-LTS assets directory, demonstrating the successful exploitation of the vulnerability.

Remediation

No specific remediation is known at this time.