Code16 Sharp Path Traversal Vulnerability in FileUtil Class

A path traversal vulnerability has been identified in the Code16 Sharp content management framework for Laravel, specifically in versions prior to 9.20.0. The issue arises in the FileUtil class, where the application improperly sanitizes file extensions. This flaw allows path separators to be injected and passed into the storage layer, potentially leading to unauthorized file manipulation. The vulnerability exists in the 'FileUtil::explodeExtension()' function, which extracts file extensions by splitting the filename at the last dot. However, the extracted extension is not adequately sanitized, enabling path traversal exploits.

Impact

Exploitation of this vulnerability allows authenticated attackers to manipulate file paths, writing files outside the designated temporary directory or overwriting critical files such as .env or configuration files. This vulnerability was successfully chained with CWE-434 in a local proof of concept to confirm the traversal.

Remediation

Users can update to Code16 Sharp version 9.20.0 or later, where this vulnerability has been patched. The fix involves proper sanitization of file extensions using 'pathinfo(PATHINFO_EXTENSION)' instead of 'strrpos()', along with strict regex replacements for both the base name and the extension.