Austrian Archaeological Institute Openatlas Path Traversal Vulnerability Allowing Local File Inclusion

A path traversal vulnerability allowing local file inclusion (LFI) has been identified in the Austrian Archaeological Institute's Openatlas application, in versions prior to 8.12.0. The issue arises in the file.py component, specifically within the size query parameter of the /display/ endpoint. This vulnerability enables authenticated attackers to read files outside the designated upload directory, such as application configuration files containing sensitive information like database credentials and secret keys.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive configuration files, such as production.py, which may contain database credentials and Flask's SECRET_KEY. This could facilitate further attacks, including session forging, database access, or remote code execution when combined with other vulnerabilities.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the /display/ endpoint with a size parameter that includes directory traversal sequences. This request should be made by an authenticated user with minimal privileges. The crafted size parameter can be used to navigate outside the intended upload directory and access sensitive files in the application configuration.

Remediation

Users are advised to update Openatlas to version 8.13.0 or later.