EVE-NG Directory Traversal Vulnerability in Export API

A directory traversal vulnerability has been identified in EVE-NG version 6.4.0-13-PRO. The issue arises in the '/api/export' interface, which allows authenticated users to export lab files. The vulnerability is due to inadequate input validation and filtering of file path parameters provided by users. This flaw enables attackers to manipulate file paths and access arbitrary files on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file read, potentially leading to the exposure of sensitive information such as password files.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/export' endpoint. The request must include a valid lab file in the 'path' parameter and a crafted filename parameter that contains path traversal sequences, such as '../../../../../etc/passwd'. The server will respond with a download link for a ZIP file containing the requested file from the server.

Remediation

It is recommended to implement strict input validation for file path parameters in the export API. This includes normalizing paths to ensure they remain within expected directories, filtering out traversal sequences, and possibly whitelisting specific file types or directories for export.