MapTiler Tileserver-PHP Directory Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A directory traversal vulnerability has been identified in MapTiler Tileserver-PHP version 2.0. The issue arises in the 'renderTile' function of 'tileserver.php', which serves tiles stored as files on the server. The vulnerability allows the insertion of '../' in the file path, enabling unauthorized access to read any file on the web server. The vulnerable GET parameters include 'TileMatrix', 'TileRow', 'TileCol', and 'Format'.
Impact
Exploitation of this vulnerability leads to unauthorized file read access on the server.
Reproduction
To reproduce this vulnerability, send a GET request to 'tileserver.php' with the 'TileMatrix', 'TileRow', 'TileCol', and 'Format' parameters. Include a crafted 'Format' parameter that traverses directories using '../' to access sensitive files, such as '/etc/passwd'.
Remediation
Input validation should be implemented to prevent directory traversal, disallowing the use of '/' in file path parameters. Additionally, checks should be added to ensure requested files remain within the current working directory.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.