qBit Manage Path Traversal Vulnerability in Web API Allowing Arbitrary File Read

A path traversal vulnerability has been identified in qBit Manage versions 4.5.0 through 4.5.3. This vulnerability exists within the application's web API, specifically through the restore_config_from_backup endpoint. Authenticated users can exploit this issue to read arbitrary files from the server's filesystem. The vulnerability arises from improper validation of the backup_id parameter, which can be manipulated with path traversal sequences to bypass directory restrictions and access sensitive files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive configuration files and system files such as /etc/passwd and /etc/shadow. This information disclosure could potentially be used for privilege escalation or to compromise application secrets and credentials.

Reproduction

To reproduce this vulnerability, send a POST request to the restore_config_from_backup endpoint with a backup_id parameter that includes path traversal sequences, such as ../. This will bypass directory restrictions and allow access to arbitrary files on the server.

Remediation

Users are advised to upgrade to qBit Manage version 4.5.4 or later. If an immediate upgrade is not possible, the web API can be disabled or access can be restricted to trusted IP addresses. Monitoring web server logs for suspicious file access attempts is also recommended.