GPT Academic Arbitrary File Read Vulnerability via Tarfile Extraction of Soft Links

A vulnerability in GPT Academic versions through 3.91 allows for arbitrary file reading on the server. This issue arises from improper handling of soft links when files are uploaded as tar.gz archives. An attacker can create a soft link to a target file, package it into a tar.gz file, and upload it. When the archive is decompressed on the server, the soft link redirects to the target file, enabling access to its contents.

Impact

Exploitation of this vulnerability allows for reading any file on the server, severely compromising data confidentiality.

Reproduction

To reproduce this vulnerability, create a soft link file that points to a target file, such as '/etc/passwd'. Then, package this soft link into a tar.gz file using the 'tar' command. Upload the tar.gz file to the server. After the file is extracted, the soft link will point to the target file on the server, allowing access to its contents.