PwnDoc Path Traversal Vulnerability Leading to Remote Code Execution

A vulnerability in PwnDoc's backup restore functionality prior to version 1.2.0 allows administrators to import raw data into the database, including path traversal sequences. This issue affects the template update feature, which uses database paths to write arbitrary content, potentially overwriting source code and enabling remote code execution. Any user with the 'backups:create', 'backups:update', and 'templates:update' permissions can exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, which can be used to overwrite source code and achieve remote code execution.

Reproduction

To reproduce this vulnerability, an administrator must upload a backup TAR file containing a 'templates.json' file with path traversal sequences. The backup restore process will import the data, including the traversal sequences, which can then be used to write arbitrary content to the filesystem. This can be done by updating a template and specifying a file name that includes '../' sequences to target a writable location, such as a JavaScript file in the '/tmp' directory.

Remediation

Users are advised to update to PwnDoc version 1.2.0 or later, where this vulnerability has been fixed.