Oinone Pamirs Path Traversal Vulnerability in RestController Allowing Arbitrary File Uploads

A path traversal vulnerability has been identified in Oinone Pamirs versions through 7.2.0. The issue resides in the RestController component, specifically within the LocalFileClient.java file. The vulnerability arises because the request.getParameter function does not properly sanitize the uniqueFileName parameter, allowing attackers to manipulate the file path and escape the designated upload directory. This exploitation can lead to unauthorized file uploads, with potential for remote code execution.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, which could be used to execute malicious code on the server, potentially leading to a complete takeover of the system.

Reproduction

To reproduce this vulnerability, send a POST request to the '/file/upload' endpoint. Include a 'uniqueFileName' parameter with a crafted filename that contains directory traversal sequences, such as '../../../../etc/cron.d/'. Also, attach a file with the same name that includes malicious payload, such as a cron job command. The server will process the request, bypassing permission checks, and execute the uploaded payload as scheduled task.

Remediation

Update the Spring configuration to enforce permission checks on the '/file/**' path, preventing access by unauthenticated users. Implement validation to normalize and verify file paths before writing them. Additionally, avoid running the Java process as the root user and restrict the web service's write permissions to safe directories.