Laravel File Manager Directory Traversal Vulnerability Allowing Arbitrary File Disclosure

A directory traversal vulnerability has been identified in Laravel File Manager versions through 3.3.1. This vulnerability allows authenticated users to manipulate the zip/archiving functionality, creating archives that include files and directories outside the intended scope. The issue arises from improper path validation, which can be exploited to access sensitive files such as environment configurations, SSH keys, and application secrets.

Impact

Exploitation of this vulnerability leads to arbitrary file disclosure, allowing access to sensitive files that could facilitate privilege escalation or lateral exploitation within the system.

Reproduction

To reproduce this vulnerability, an authenticated user can upload or select a file or folder within the Laravel File Manager interface. Once a file or folder is selected, the user can manipulate the ZIP request payload to include directory traversal sequences, such as relative path indicators that navigate up the directory structure. After modifying the payload to include sensitive files, the user can trigger the ZIP creation process. The backend will resolve the paths, including the traversed directories, and create a ZIP file containing the requested files. Finally, the generated ZIP can be downloaded, revealing the sensitive files from arbitrary locations on the server.

Remediation

Users are advised to implement canonical path validation to normalize requested file paths and restrict them to the designated storage root. Any paths containing traversal sequences should be rejected. Additionally, server-side allowlist logic can be applied to only permit ZIP creation from known, explicitly allowed directories. Users should also update to a patched version once the vendor releases a fix for this vulnerability.