Roxy-WI Path Traversal Vulnerability in Config Version Viewer Allows Authenticated Arbitrary File Read

A path traversal vulnerability has been identified in Roxy-WI versions prior to 8.2.6.4. The issue arises in the POST /config/<service>/show API endpoint, where the configver parameter is appended to a base directory path without proper validation. This oversight allows authenticated attackers to inject ../ sequences, escape the intended directory, and access arbitrary files on the server that are readable by the web application process. The vulnerability exists due to a logic error in the path traversal guard, which only checks a server-side variable that never contains user-controlled data.

Impact

Exploitation of this vulnerability allows authenticated users to read any file from the server's filesystem, bypassing normal access controls. A critical scenario involves accessing the Roxy-WI application configuration file to retrieve the secret_phrase, a symmetric encryption key. This key can be used to decrypt SSH credentials stored in the Roxy-WI database, facilitating unauthorized access to managed servers.

Reproduction

To reproduce this vulnerability, send a POST request to the /config/<service>/show endpoint with a valid JWT token in the Cookie header. Include a configver parameter that contains ../ sequences to traverse out of the intended directory and access sensitive files, such as the application config or SSH private keys.

Remediation

Users should update to Roxy-WI version 8.2.6.4 or later, where this vulnerability has been patched.