Sparx Pro Cloud Server Race Condition Vulnerability Allowing Remote Code Execution

A race condition vulnerability has been identified in Sparx Pro Cloud Server versions through 6.1. This issue occurs in the /data_api/dl_internal_artifact.php endpoint, where the application downloads object properties based on a provided GUID parameter. The downloaded content is saved in the current directory under a user-specified name. An attacker with repository access can manipulate both the filename and content, potentially creating a malicious PHP file. Although the file is deleted after processing, the race condition allows the file to remain accessible if the response is delayed, such as through a slow connection or large file transfer. During this time, the attacker can execute the PHP file, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Sparx Pro Cloud Server is running.

Reproduction

To reproduce this vulnerability, an authenticated user with repository access can send a request to the /data_api/dl_internal_artifact.php endpoint, including a GUID parameter that points to a desired object. The request should specify a filename that will be used to save the downloaded content in the current directory. After the initial request is processed, the user can wait for a response delay and then send a second request to execute the malicious PHP file that was created. This exploitation window takes advantage of the race condition, allowing the execution of the PHP file before it is deleted by the application.