1.Vulnerability Description
A hidden public API vulnerability exists in Microweber v2.0.20.
The endpoint /api_nosession/thumbnail_img does not properly validate the cache_path_relative parameter before using it to build the output file path. Because the value is concatenated with userfiles_path() and passed only through normalize_path(), directory traversal sequences such as ../ are not removed.
As a result, an unauthenticated attacker can: (1) read existing files by pointing cache_path_relative to an existing file outside the intended thumbnail cache directory; and (2) create files at attacker-controlled paths when a local SVG file is used as the source image.
Vulnerability Type: Path Traversal
CWE ID: CWE-22
2.Reproduction Screenshot
The screenshot for vulnerability reproduction (impact: arbitrary file read) is as follows:
For security reasons, I will not disclose further details about this vulnerability. I have sent the reproduction steps, root cause, and other relevant information to [email protected] via email, hoping that this issue can be addressed promptly.
1.Vulnerability Description
A hidden public API vulnerability exists in Microweber v2.0.20.
The endpoint
/api_nosession/thumbnail_imgdoes not properly validate thecache_path_relativeparameter before using it to build the output file path. Because the value is concatenated withuserfiles_path()and passed only throughnormalize_path(), directory traversal sequences such as../are not removed.As a result, an unauthenticated attacker can: (1) read existing files by pointing
cache_path_relativeto an existing file outside the intended thumbnail cache directory; and (2) create files at attacker-controlled paths when a local SVG file is used as the source image.Vulnerability Type: Path Traversal
CWE ID: CWE-22
2.Reproduction Screenshot
The screenshot for vulnerability reproduction (impact: arbitrary file read) is as follows:
For security reasons, I will not disclose further details about this vulnerability. I have sent the reproduction steps, root cause, and other relevant information to [email protected] via email, hoping that this issue can be addressed promptly.