ClipBucket Path Traversal Vulnerability in Template Editor Endpoint Allowing Arbitrary File Access

A path traversal vulnerability has been identified in ClipBucket versions 5.5.2 - #146 and earlier. The issue resides in the /admin_area/template_editor.php endpoint, where inadequate validation of the file-loading path allows authenticated administrators to read and write arbitrary files outside the designated template directory. By inserting path traversal sequences into the folder parameter, an attacker with admin privileges can access sensitive files, such as /etc/passwd, and modify writable files on the system. This vulnerability could lead to unauthorized disclosure of sensitive information and compromise of the application or server.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations, with the potential to disclose sensitive information and compromise the application or server.

Reproduction

To reproduce this vulnerability, an authenticated administrator can navigate to the /admin_area/template_editor.php endpoint. By inserting '../' sequences into the folder parameter, it is possible to traverse directories and access files outside the intended directory. For example, accessing '/etc/passwd' demonstrates the vulnerability. Once a writable file is targeted, it can be modified through the same interface.

Remediation

Users can update to ClipBucket version 5.5.2 - #147, where this vulnerability has been fixed.