Flight PHP Path Traversal Vulnerability in make:controller CLI Command

A path traversal vulnerability has been identified in Flight PHP versions prior to 3.18.1. The issue arises in the make:controller command, where the CLI command creates directories recursively based on the user-supplied controller name before validating the class name. This premature directory creation can lead to arbitrary directories being created outside the project root, taking advantage of directory traversal sequences. The vulnerability is exacerbated on Windows systems, where the backslash directory separator introduces additional traversal possibilities.

Impact

Exploitation of this vulnerability allows for arbitrary directory creation outside the project root. This could be used to plant log files for subsequent local file inclusion attacks. On Windows, the backslash separator could further expand the traversal capabilities.

Reproduction

To reproduce this vulnerability, use the Flight CLI to create a controller with a name that includes directory traversal sequences, such as '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn'. The command will create the specified directory traversal path, including the 'CONTROLLER_TRAVERSAL_TEST' directory, before Nette's class name validation rejects the input.

Remediation

Users can upgrade to Flight PHP version 3.18.1 or later, where this vulnerability has been fixed.