ZOO-Project Web Processing Service Path Traversal Vulnerability in VRT File Handling

A path traversal vulnerability has been identified in the ZOO-Project's Web Processing Service (WPS) implementation, specifically within the GDAL processing capabilities. This vulnerability allows unauthorized access to files outside the intended directory by exploiting the VRT (Virtual Format) file handling. The issue arises because the Gdal_Translate service fails to properly validate file paths in the VRTRasterBand element, allowing attackers to use relative path traversal sequences to read arbitrary files on the system. When these files are processed, their contents can be exposed by converting them to TIFF format, potentially revealing sensitive information such as system configurations or credentials.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to read arbitrary files from the server, including sensitive system files, configuration data, and credentials. The vulnerability can be exploited remotely through the WPS service, without any authentication requirements.

Reproduction

To reproduce this vulnerability, create a VRT file that includes a path traversal in the SourceFilename element, such as referencing a file like 'flag.txt' located several directories up from the VRT file's directory. Then, send a POST request to the WPS service with the 'Gdal_Translate' operation, including the crafted VRT file as the payload. After the request is processed, the output file can be retrieved from the web server's temporary directory, which will contain the contents of the file referenced in the VRT's SourceFilename element, converted to TIFF format.

Remediation

Users are advised to upgrade to version 5f155a8, where this vulnerability has been patched. After upgrading, ensure that the WPS service is configured to validate file paths properly, preventing the use of relative path traversal sequences. Additionally, consider implementing file access restrictions that limit reading operations to designated directories, and establish a whitelist of allowed input and output directories for GDAL operations.