Traccar Unauthenticated Local File Inclusion Vulnerability on Windows

A local file inclusion vulnerability has been identified in Traccar, an open-source GPS tracking system, affecting default installations on Windows in Traccar versions 6.1 through 6.8.1, as well as non-default installations in versions 5.8 to 6.0. This vulnerability allows unauthenticated users to include arbitrary files from the file system, potentially leading to the disclosure of sensitive information such as passwords or the Traccar configuration file. In versions 5.8 to 6.0, the vulnerability only arises if the 'web.override' entry is set in the configuration file. The issue is present by default in versions 6.1 to 6.8.1, as the web override is enabled by default.

Impact

Exploitation of this vulnerability allows for the unauthorized retrieval of any file on the file system, including sensitive files such as the Traccar configuration file, which may contain passwords and other critical information.

Reproduction

To reproduce this vulnerability in Traccar versions 5.8 to 6.8.1, install the service on Windows and ensure that the 'web.override' option is enabled in the configuration file. Then, send a request to the Traccar server that exploits the local file inclusion vulnerability by navigating the file path to access the Traccar configuration file. In versions 6.1 to 6.8.1, this vulnerability can be reproduced by default without any additional configuration.

Remediation

Users can upgrade to Traccar version 6.9.0 or later, where this vulnerability has been patched.