LiquidFiles Path Traversal Vulnerability Leading to Remote Code Execution

A directory traversal vulnerability has been identified in LiquidFiles versions prior to 4.1.2. This vulnerability allows authenticated users to execute arbitrary code on the server by manipulating the pathname of a local executable file through ActionScript configurations. The issue arises because path components are not properly sanitized, enabling the injection of traversal sequences to access unauthorized directories.

Impact

Exploitation of this vulnerability allows for remote code execution on the server with the privileges of the '_actionscript' user.

Reproduction

To reproduce this vulnerability, an authenticated user with admin privileges can upload an ActionScript executable and then configure it to be triggered by certain events. By intercepting the request that saves the ActionScript configuration, the user can inject a directory traversal payload that exploits the lack of proper path sanitization. Once the ActionScript is executed, the injected payload can be used to execute arbitrary commands on the server.

Remediation

Users are advised to update to LiquidFiles version 4.1.2 or later, where this vulnerability has been patched.