OpenMage LTS Dataflow Module Path Traversal Vulnerability

A path traversal vulnerability has been identified in the Dataflow module of OpenMage Long Term Support (LTS) versions prior to 20.17.0. The issue arises from a weak blacklist filter that attempts to remove '../' sequences from file paths. This filter can be easily bypassed using certain patterns, allowing an authenticated administrator to exploit the vulnerability and read arbitrary files from the server's filesystem. The vulnerability is present in all versions derived from Magento 1.x that include the affected Dataflow module.

Impact

Exploitation of this vulnerability allows an authenticated administrator to read sensitive files from the server, such as system user information, database credentials, environment secrets, application log files, and configuration files.

Reproduction

To reproduce this vulnerability, an authenticated administrator can navigate to the Dataflow Profiles section in the admin panel. After creating or modifying an import profile, the 'files' parameter can be set to a crafted path traversal string that exploits the weak filter. Once the profile is run, the contents of the specified file, such as '/etc/passwd', can be accessed.

Remediation

Users can upgrade to OpenMage LTS version 20.17.0 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, administrators can restrict access to the Dataflow module, disable the module if not in use, use a web application firewall to block path traversal patterns, ensure minimal file permissions for the web server user, and monitor admin activity for suspicious Dataflow profile executions.