DreamFactory Core Directory Traversal Vulnerability in RestController.php Allowing Remote Code Execution

A directory traversal vulnerability has been identified in DreamFactory Core version 1.0.3, specifically within the RestController.php component. This issue arises from the lack of proper sanitization of client-controlled URL paths, allowing authenticated users to exploit the vulnerability. By manipulating the URI path, attackers can traverse directories and write or overwrite files with arbitrary content, executing these files as PHP scripts. The vulnerability can be exploited by users with permissions to send 'POST' requests to the '/api/v2/files' endpoint.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the 'www-data' user.

Reproduction

To reproduce this vulnerability, an authenticated user must have a role that permits 'POST' requests to the '/api/v2/files' endpoint. Once these conditions are met, the user can send a 'POST' request that includes a crafted file upload. The request must specify a file name that includes directory traversal sequences, such as '../..', to navigate the file system. The uploaded file should contain a PHP payload, which will be executed once the file is accessed through the web server.

Remediation

Users can upgrade to DreamFactory Core version 1.0.4 or later, where this vulnerability has been fixed.