SonicCloudOrg Sonic-Server Path Traversal Vulnerability in File Upload Component
Vulnerability
A path traversal vulnerability has been identified in SonicCloudOrg sonic-server versions through 2.0.0. The issue arises in the file upload functionality, specifically within the 'Upload' method of 'FileTool.java'. The vulnerability allows authenticated attackers to manipulate the 'type' parameter, leading to unauthorized file writes in arbitrary directories on the server. This flaw could be exploited remotely, with a public exploit available.
Impact
Exploitation of this vulnerability could result in unauthorized file uploads to sensitive areas of the server, potentially overwriting critical files or introducing malicious scripts that could be executed via the web server.
Reproduction
To reproduce this vulnerability, authenticate to the Sonic Server application with a user account that has file upload permissions. Then, send a POST request to either the '/upload' or '/upload/v2' endpoint. Include a file in the 'file' parameter and a directory traversal payload in the 'type' parameter. The uploaded file will be written to the specified location, bypassing normal directory restrictions.
Remediation
It is recommended to implement strict validation on the 'type' parameter to ensure only allowed directory names are accepted. Additionally, paths should be normalized and validated to prevent traversal attacks.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.