Traccar Broken Access Control Vulnerability in Image Upload Functionality

A broken access control vulnerability has been identified in Traccar, an open-source GPS tracking system, prior to version 6.13.0. The issue arises in the 'DeviceResource.uploadImage' function, which authorizes device access based solely on user permissions. This function immediately streams the uploaded image into the media manager, bypassing a crucial permissions check that enforces read-only restrictions for non-admin users. As a result, an unauthorized user can replace a device's image file on the server, disrupting any workflows that depend on the original image.

Impact

Exploitation of this vulnerability allows unauthorized users to overwrite a device's image file on the server, altering media that is visible in the user interface and affecting any processes that rely on the saved image.

Reproduction

To reproduce this vulnerability, a shared-device bearer token must be obtained for a user with 'readonly' permissions. This token can be used to authenticate a request to the 'POST /devices/{id}/image' endpoint, where the 'deviceId' and image file are provided. The absence of a proper permissions check before the file is written to the server media directory enables the unauthorized image replacement.

Remediation

Users are advised to update to Traccar version 6.13.0 or later, where this vulnerability has been fixed.