Thermo Fisher Torrent Suite Django Application Arbitrary File Write Vulnerability

A vulnerability in the Thermo Fisher Torrent Suite Django application version 5.18.1 allows low-privilege users to upload ZIP files to the server via the /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints. The plupload_file_upload function, which manages these uploads, fails to properly sanitize the filename or the name parameter before constructing the destination file path. This oversight enables path traversal attacks, as the file extension is extracted and used to build the final path without adequate validation. An authenticated attacker with network access can exploit this to write arbitrary files to the server, potentially leading to remote code execution by overwriting an executable file, such as pdflatex, which is then executed via subprocess.Popen in the write_report_pdf function after accessing a specific report endpoint.

Impact

Exploitation of this vulnerability allows authenticated users to write arbitrary files on the server, with the potential to execute malicious code by overwriting certain executable files.

Remediation

Users are advised to verify that the Torrent Suite software is not using default login credentials, review their network setup configuration to align with recommended security practices, and restrict public network access to the software and associated devices.