Chyrp Lite Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability has been identified in Chyrp Lite versions prior to 2026.01. This vulnerability exists in the administration console, where it allows an administrator or a user with Change Settings permission to manipulate the uploads path. By doing so, a user could download any file from the server, including the config.json.php file containing database credentials, and overwrite critical system files. Such actions could lead to remote code execution.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to access sensitive information, such as database passwords and system files, overwrite PHP files to execute arbitrary code, and cause a denial-of-service by rewriting essential system files.

Reproduction

To reproduce this vulnerability, an authenticated user with Change Settings permission can access the administration console and navigate to the uploads path setting. The user can then input a path traversal sequence, such as using relative path components to escape the intended directory, and set the uploads path to a location that is not properly filtered, such as the root directory or the includes directory. Once the uploads path is manipulated, the user can use the download.php script to retrieve sensitive files like config.json.php or overwrite PHP files in the Chyrp environment with malicious versions.

Remediation

Users can update to Chyrp Lite version 2026.01, which addresses this vulnerability by implementing proper filtering to disallow backtracking through path components and preventing unsafe directories reserved for internal use from being set as the upload directory.