Description

FUXA Affected by a Path Traversal Sanitization Bypass

Summary

A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .

Details

This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:

Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences. Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs. Escalation to RCE: By targeting the upload and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.

Impact

Remote Code Execution (RCE): Transition from application admin to full system control. SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms. Data Integrity & Availability: Full access to projects, credentials, and historical logs.

Patches

This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.

Mitigation

Aliases

References