Omnispace Agora Project Directory Traversal Vulnerability Allowing Unauthenticated File Read

A directory traversal vulnerability has been identified in the Omnispace Agora Project, affecting versions prior to 25.10. This vulnerability allows unauthenticated attackers to read files on the system through the 'misc' controller and the 'ExternalGetFile' action. The issue arises because the vulnerability can be exploited by manipulating the '_id' parameter to traverse directories and access files with certain extensions, potentially including sensitive configuration or data files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, such as configuration files or other resources depending on the server's file structure and configuration.

Reproduction

The vulnerability can be reproduced by sending a request to the 'misc' controller with the 'ExternalGetFile' action. The '_id' parameter must be crafted to include directory traversal sequences that navigate up the directory structure to access files outside of the intended directory. Only files with extensions can be read, so the payload should target a file that is likely to contain sensitive information, such as a configuration file.

Remediation

Users are advised to update to Omnispace Agora Project version 25.10 or later, where this vulnerability has been fixed.