Traccar Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Traccar versions up to and including 6.11.1. The issue allows authenticated users with permission to create or edit devices to set a device's uniqueId to an absolute path. When a device image is uploaded, Traccar constructs the file system path using the uniqueId without ensuring that the final path remains within the media root. This oversight enables files to be written outside the designated media directory. As of now, it is unclear whether a fix is available.

Impact

Exploitation of this vulnerability allows arbitrary file writing outside the media directory, which could lead to unauthorized filesystem manipulation, data tampering, or overwriting files that the server process can access. The actual impact may vary depending on the server's filesystem permissions, but it is generally considered high risk.

Reproduction

To reproduce this vulnerability, an authenticated user with the ability to create or edit devices and upload device images is required. First, create a device by sending a POST request to the '/api/devices' endpoint with an absolute uniqueId, such as '/tmp/traccar-pwn' on Linux/macOS or 'C:\temp\traccar-pwn' on Windows. After the device is created, upload a small PNG image to the device using the '/api/devices/{id}/image' endpoint. The uploaded image will be saved as 'device.png' outside the configured media path, demonstrating the path traversal vulnerability.

Remediation

To address this vulnerability, it is recommended to validate the uniqueId to reject absolute paths and path separators, or to normalize the output path and enforce that it remains within the media root before allowing the file write.