Rocket TRUfusion Enterprise Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability has been identified in Rocket TRUfusion Enterprise versions prior to 7.10.5. The issue arises in the file upload handling of the 'uploadFile' operation within the 'WsPortalV6UpDwAxis2Impl' service. The vulnerability allows authenticated users to manipulate the 'jobDirectory' parameter, bypassing intended upload restrictions and writing files to arbitrary locations on the local filesystem. This arbitrary file write capability could be exploited to execute malicious code, particularly if the uploaded file is placed in a web-accessible or executable directory. The risk of exploitation is heightened in environments that have not changed the default admin password, 'trubiquity'.

Impact

Exploitation of this vulnerability allows for authenticated path traversal, leading to arbitrary file write capabilities. If the written files are executed or accessed through a web server, this could result in remote code execution.

Reproduction

To reproduce this vulnerability, send a SOAP request to the '/axis2/services/WsPortalV6UpDwAxis2Impl' endpoint. Include the 'jobDirectory' parameter with a path traversal sequence that directs to a writable location, such as the web application's JSP directory. The 'dataHandler' parameter can be used to upload a file, such as a JSP shell, which could then be executed if placed in an accessible location.

Remediation

Users are advised to update to Rocket TRUfusion Enterprise version 7.10.5.