ZendTo Path Traversal Vulnerability Allowing File Access and Denial-of-Service

A path traversal vulnerability has been identified in the file dropoff functionality of ZendTo versions 6.15 through 7 and prior. This vulnerability allows remote, authenticated attackers to access files of other ZendTo users, retrieve files from the host system, or cause a denial-of-service condition.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files of other users or files on the host system. Additionally, it could cause a denial-of-service condition by disrupting the ZendTo service.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file by creating a dropoff request. During this process, the user can manually specify the 'chunkName' value to bypass sanitization, effectively directing the request to the root upload directory. Then, by manipulating the 'tmp_name' variable, which is not properly sanitized, the user can traverse directories and access arbitrary files, such as the ZendTo log file. Once the file is moved to the dropoff directory, it can be downloaded, exposing its contents to the attacker.

Remediation

Users are advised to upgrade to ZendTo version 6.15-8, where this vulnerability has been patched.