Path traversal is a security vulnerability (CWE-23: Relative Path Traversal), that can be abused by attackers to get unauthorized access to files.
Web applications often include or offer downloading files that are stored on the web server. These files can be referenced by a relative or absolute path. For example, an URL with a reference to a file may look like this: https://www.example.org/file?path=content/example.pdf
If the application is vulnerable to path traversal, an attacker may change the path to the file by inserting control sequences (e.g. “../”).
If the web server is misconfigured and allows this, the attacker can navigate to the root directory of the web server. From there, it is possible to include or download any known file into the web application.
To prevent an attacker from using this technique to access files with sensitive content, it is important to ensure that paths cannot be manipulated. This can be done, for example, by blocking access to files outside the web root directory, or by sanitizing and encoding control sequences in paths.
We discovered such a path traversal in one of the php scripts in pixx.io. This is a serious finding, as attackers can use it to steal arbitrary files from pixx.io’s web servers and client servers, which are using pixx.io.
More details are available in the security advisory EXX-2021-02:EXXETA_pixxio_Advisory_Open-Redirect_2021-04
Show all posts by Florian Weller