GHOSTS Path Traversal Vulnerability in Photo Retrieval API Endpoint

A path traversal vulnerability has been identified in GHOSTS version 8.0.0.0, allowing authenticated users to access files outside the intended directory via the photo retrieval endpoint for Non-Player Characters (NPCs). The vulnerability arises because the endpoint does not properly validate and sanitize file paths. When an NPC is created with a photo link containing path traversal sequences, the application processes these without adequate sanitization. This flaw enables directory traversal, potentially exposing sensitive system files. The issue is critical as it allows reading arbitrary files from the server's filesystem with the web application process's permissions, which could include configuration files, credentials, or other sensitive data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, including configuration files and credentials, depending on the application's service account permissions.

Reproduction

To reproduce this vulnerability, create an NPC by sending a POST request to the /api/npcs endpoint. Include a photo link that contains path traversal sequences, such as '../', to navigate outside the intended directory. After the NPC is created, access the photo retrieval endpoint for that NPC. The server will respond with the contents of the traversed file instead of a legitimate photo, demonstrating successful exploitation.

Remediation

Users are advised to upgrade to GHOSTS version 8.2.7.90 or later, where this vulnerability has been patched. The updated version includes proper path validation and sanitization to remove or block traversal sequences before processing file paths.