4ga Boards Path Traversal Vulnerability Leading to Arbitrary File Read

A path traversal vulnerability has been identified in 4ga Boards versions prior to 3.3.5. This vulnerability allows authenticated users with board import privileges to manipulate the server into importing arbitrary host files as board attachments during the BOARDS archive import process. The issue arises because the application fails to properly validate file paths, allowing traversal sequences to escape the intended import directory and access readable files on the host filesystem. Once these files are imported as attachments, they can be downloaded through the application's normal interface, resulting in unauthorized disclosure of local files.

Impact

Exploitation of this vulnerability allows for arbitrary local file read, with the potential to exfiltrate sensitive files from the server, such as configuration files or other readable resources.

Reproduction

To reproduce this vulnerability, upload a crafted BOARDS export archive that includes a modified `attachments.csv` file. The modification should include a path that escapes the import directory and points to a readable host file. After re-importing the archive, the imported board will contain an attachment sourced from the host filesystem, which can be downloaded through the application.

Remediation

Users are advised to update to 4ga Boards version 3.3.5 or later, where this vulnerability has been fixed.