SoftSul SAC-NFe Unauthenticated Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in SoftSul SAC-NFe version 2.0.02 and prior. The issue arises in the file handling logic of download.php and open_pdf.php, where user-supplied file parameters are not properly validated before being used in file system operations. This flaw allows unauthenticated remote attackers to manipulate file paths and access arbitrary files on the server, including sensitive system and application files. The vulnerability is particularly concerning in the context of SAC-NFe's integration with Windows-based fiscal components, as it could lead to the unauthorized disclosure of critical fiscal configuration files and database credentials.

Impact

Exploitation of this vulnerability allows for unauthorized access to arbitrary files on the server, including sensitive system files and application source code. In the context of SAC-NFe, this could result in the exposure of confidential fiscal data and application credentials.

Reproduction

The vulnerability can be reproduced by sending a GET request to the download.php or open_pdf.php endpoints with a crafted file parameter that includes directory traversal sequences or absolute paths. This can be done using a web browser or a tool like cURL. Once the request is sent, the server will respond with the contents of the specified file, bypassing any intended directory restrictions.

Remediation

As no official patch has been released by the vendor, it is recommended that system administrators manually apply a security fix to the download.php and open_pdf.php files. The fix involves implementing proper path validation and sanitization to ensure that only authorized files within a designated directory can be accessed.