Emlog Pro Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability has been identified in Emlog Pro version 2.6.9, allowing authenticated administrators to execute arbitrary PHP code. The issue arises in the template upload feature, where the system fails to properly sanitize filenames in ZIP archives. By uploading a malicious ZIP file containing directory traversal sequences, an attacker can overwrite default template files or include malicious code files in the current template. This vulnerability was discovered in the official release of Emlog Pro 2.6.9.

Impact

Exploitation of this vulnerability allows for full server control by executing arbitrary PHP code with web server privileges. Malicious code can be injected into default template files, executing whenever a visitor accesses the site. This creates a persistent backdoor, as the injected script remains even if the template is changed, and can be hidden within the template structure.

Reproduction

To reproduce this vulnerability, log into the Emlog Pro 2.6.9 backend as an administrator. Navigate to the template management section and upload a crafted ZIP file containing a directory traversal payload. The system will extract the file and overwrite existing template files, allowing for the execution of injected PHP code.

Remediation

Users are advised to implement strict path validation during the template upload process. This includes sanitizing file names to remove directory traversal sequences, validating file contents before extraction, and ensuring that extracted files are confined to the designated template directory.