TRUfusion Enterprise Path Traversal Vulnerability Allowing Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in TRUfusion Enterprise versions through 7.10.4.0. The vulnerability exists in the file upload endpoint, where the application fails to properly sanitize input, allowing attackers to include path traversal sequences. This flaw can be exploited to write files of any type and content to any location on the local server, where the web server user has access. Successful exploitation enables remote execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, which can be used to upload malicious files that are executed on the server, leading to remote code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/trufusionPortal/fileupload' endpoint. The 'token' parameter must include path traversal sequences to navigate to a writable directory, such as the TRUfusion web portal path. The 'file' parameter should contain the payload, such as a JSP web shell, which will be executed once uploaded.

Remediation

Users are advised to update to TRUfusion Enterprise versions 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.3.0, 7.9.3.1, 7.9.2.1, 7.10.0.1, 7.9.5.0 or 7.10.2.0.