TinaCMS Path Traversal Vulnerability in Media Upload Handler Allowing Arbitrary File Write

A path traversal vulnerability has been identified in TinaCMS versions prior to 2.1.7. The issue arises in the development server's media upload handler, where user-controlled path segments are joined using path.join() without proper validation. This oversight allows files to be written to arbitrary locations on the filesystem, potentially leading to remote code execution. The vulnerability exists in the media upload endpoint, which handles HTTP POST requests.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential for remote code execution if malicious files are written to executable locations.

Reproduction

The vulnerability can be reproduced by uploading a file through the media upload endpoint using a path traversal sequence in the file name. The uploaded file will be written to a location outside the intended media directory, demonstrating the path traversal flaw.

Remediation

Users can update to TinaCMS version 2.1.7 or later, where this vulnerability has been fixed. For those using the affected media upload handler, it's recommended to implement path validation to ensure that uploaded file paths remain within the designated media directory.