Emlog Path Traversal Vulnerability in emUnZip() Function Allowing Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in Emlog versions prior to 2.6.2, specifically within the emUnZip() function. This vulnerability arises because the function extracts ZIP archives without properly sanitizing the names of the ZIP entries. An authenticated admin can upload a malicious ZIP file containing entries with '../' sequences, which can be used to write arbitrary files to the server filesystem. This includes the potential to upload PHP webshells, leading to remote code execution. The vulnerability is present during ZIP extraction for plugin or template uploads and backup imports.

Impact

Exploitation of this vulnerability allows an authenticated administrator to write arbitrary files anywhere on the server. When combined with the upload of a webshell, this results in full remote code execution. Notably, even non-admin users who can upload plugins or templates are affected.

Reproduction

To reproduce this vulnerability, create a ZIP file containing a PHP file named with a path traversal sequence, such as '../../var/www/html/shell.php'. Then, upload this ZIP file through the plugin upload endpoint as an authenticated admin. The extracted file will be written to the web root, achieving remote code execution.