The Dataflow module in OpenMage LTS uses a weak blacklist filter (str_replace('../', '', $input)) to prevent path traversal attacks. This filter can be bypassed using patterns like ..././ or ....//, which after the replacement still result in ../. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.
| Metric | Value | Justification | | ------------------------ | --------- | ------------------------------------- | | Attack Vector (AV) | Network | Exploitable via admin panel | | Attack Complexity (AC) | Low | Simple bypass pattern | | Privileges Required (PR) | High | Requires admin authentication | | User Interaction (UI) | None | No additional user interaction needed | | Scope (S) | Unchanged | Impacts the vulnerable component | | Confidentiality (C) | High | Can read sensitive system files | | Integrity (I) | None | Read-only vulnerability | | Availability (A) | None | No impact on availability |
| File | Line | Vulnerable Code |
| ------------------------------------------------------------ | ---- | ---------------------------------------- |
| app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php | 67 | str_replace('../', '', urldecode(...)) |
| app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php | 63 | str_replace('../', '', urldecode(...)) |
The Dataflow module allows administrators to import data from files. The files parameter specifies which file to import from the var/import/ directory. To prevent path traversal, the code uses...
20.17.0Exploitability
AV:NAC:LPR:HUI:NScope
S:UImpact
C:HI:NA:N4.9/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N