GHSA-6VQF-6FHM-7RC6

Vulnerability from github – Published: 2026-04-21 14:35 – Updated: 2026-04-21 14:35
VLAI?
Summary
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
Details

The Dataflow module in OpenMage LTS uses a weak blacklist filter (str_replace('../', '', $input)) to prevent path traversal attacks. This filter can be bypassed using patterns like ..././ or ....//, which after the replacement still result in ../. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.

Metric Value Justification
Attack Vector (AV) Network Exploitable via admin panel
Attack Complexity (AC) Low Simple bypass pattern
Privileges Required (PR) High Requires admin authentication
User Interaction (UI) None No additional user interaction needed
Scope (S) Unchanged Impacts the vulnerable component
Confidentiality (C) High Can read sensitive system files
Integrity (I) None Read-only vulnerability
Availability (A) None No impact on availability

Affected Products

  • OpenMage LTS versions < 20.16.1
  • All versions derived from Magento 1.x with these code paths

Affected Files

File Line Vulnerable Code
app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php 67 str_replace('../', '', urldecode(...))
app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php 63 str_replace('../', '', urldecode(...))

Vulnerability Details

The Dataflow module allows administrators to import data from files. The files parameter specifies which file to import from the var/import/ directory. To prevent path traversal, the code uses str_replace() to remove ../ sequences:

$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'
    . str_replace('../', '', urldecode(Mage::app()->getRequest()->getParam('files')));

However, str_replace() only performs a single pass, making it trivially bypassable:

Bypass Examples

Input After str_replace('../', '', ...) Result
..././ ../ Bypass
....// ../ Bypass
..././..././..././etc/passwd ../../../etc/passwd File read

Attack Scenario

  1. Attacker gains admin access (via compromised credentials, social engineering, etc.)
  2. Navigate to System > Import/Export > Dataflow Profiles
  3. Create or modify an import profile
  4. Set the files parameter to: ..././..././..././etc/passwd
  5. Run the profile to read the contents of /etc/passwd

Proof of Concept

# Request to Dataflow with bypass pattern
GET /admin/system_convert_gui/run/id/1/?files=..././..././..././etc/passwd

# The str_replace removes '../' leaving:
# ..././..././..././etc/passwd -> ../../../etc/passwd

# Final path resolves to:
# /var/www/html/var/import/../../../etc/passwd -> /etc/passwd

Remediation

Replace the weak str_replace() filter with basename() to extract only the filename:

// Before (vulnerable)
$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'
    . str_replace('../', '', urldecode(Mage::app()->getRequest()->getParam('files')));

// After (fixed)
$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'
    . basename(urldecode(Mage::app()->getRequest()->getParam('files')));

Using basename() ensures only the filename portion is used, completely preventing any path traversal regardless of the input pattern.

Workarounds

If immediate upgrade is not possible:

  1. Restrict admin access: Limit Dataflow access to trusted administrators only
  2. Disable Dataflow: If not in use, disable the Dataflow module entirely
  3. Web Application Firewall: Block requests containing path traversal patterns
  4. File permissions: Ensure the web server user has minimal filesystem permissions
  5. Monitor admin activity: Alert on suspicious Dataflow profile execution

Impact

An attacker with admin access can read sensitive files including:

  • /etc/passwd - System user information
  • app/etc/local.xml - Database credentials
  • .env files - Environment secrets
  • Log files - Potentially sensitive application data
  • Configuration files - Server and application configuration

Credit

This vulnerability was discovered and responsibly disclosed by blackhat2013 through HackerOne.

Timeline

  • 2025-12-31: Vulnerability reported via HackerOne
  • 2026-01-21: Fix developed and tested
Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T14:35:02Z",
    "nvd_published_at": "2026-04-20T17:16:32Z",
    "severity": "MODERATE"
  },
  "details": "The Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace(\u0027../\u0027, \u0027\u0027, $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.\n\n\n| Metric                   | Value     | Justification                         |\n| ------------------------ | --------- | ------------------------------------- |\n| Attack Vector (AV)       | Network   | Exploitable via admin panel           |\n| Attack Complexity (AC)   | Low       | Simple bypass pattern                 |\n| Privileges Required (PR) | High      | Requires admin authentication         |\n| User Interaction (UI)    | None      | No additional user interaction needed |\n| Scope (S)                | Unchanged | Impacts the vulnerable component      |\n| Confidentiality (C)      | High      | Can read sensitive system files       |\n| Integrity (I)            | None      | Read-only vulnerability               |\n| Availability (A)         | None      | No impact on availability             |\n\n## Affected Products\n\n- OpenMage LTS versions \u003c 20.16.1\n- All versions derived from Magento 1.x with these code paths\n\n## Affected Files\n\n| File                                                         | Line | Vulnerable Code                          |\n| ------------------------------------------------------------ | ---- | ---------------------------------------- |\n| `app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php`   | 67   | `str_replace(\u0027../\u0027, \u0027\u0027, urldecode(...))` |\n| `app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php` | 63   | `str_replace(\u0027../\u0027, \u0027\u0027, urldecode(...))` |\n\n## Vulnerability Details\n\nThe Dataflow module allows administrators to import data from files. The `files` parameter specifies which file to import from the `var/import/` directory. To prevent path traversal, the code uses `str_replace()` to remove `../` sequences:\n\n```php\n$file = Mage::app()-\u003egetConfig()-\u003egetTempVarDir() . \u0027/import/\u0027\n    . str_replace(\u0027../\u0027, \u0027\u0027, urldecode(Mage::app()-\u003egetRequest()-\u003egetParam(\u0027files\u0027)));\n```\n\nHowever, `str_replace()` only performs a single pass, making it trivially bypassable:\n\n### Bypass Examples\n\n| Input                          | After `str_replace(\u0027../\u0027, \u0027\u0027, ...)` | Result    |\n| ------------------------------ | ----------------------------------- | --------- |\n| `..././`                       | `../`                               | Bypass    |\n| `....//`                       | `../`                               | Bypass    |\n| `..././..././..././etc/passwd` | `../../../etc/passwd`               | File read |\n\n### Attack Scenario\n\n1. Attacker gains admin access (via compromised credentials, social engineering, etc.)\n2. Navigate to System \u003e Import/Export \u003e Dataflow Profiles\n3. Create or modify an import profile\n4. Set the `files` parameter to: `..././..././..././etc/passwd`\n5. Run the profile to read the contents of `/etc/passwd`\n\n### Proof of Concept\n\n```\n# Request to Dataflow with bypass pattern\nGET /admin/system_convert_gui/run/id/1/?files=..././..././..././etc/passwd\n\n# The str_replace removes \u0027../\u0027 leaving:\n# ..././..././..././etc/passwd -\u003e ../../../etc/passwd\n\n# Final path resolves to:\n# /var/www/html/var/import/../../../etc/passwd -\u003e /etc/passwd\n```\n\n## Remediation\n\nReplace the weak `str_replace()` filter with `basename()` to extract only the filename:\n\n```php\n// Before (vulnerable)\n$file = Mage::app()-\u003egetConfig()-\u003egetTempVarDir() . \u0027/import/\u0027\n    . str_replace(\u0027../\u0027, \u0027\u0027, urldecode(Mage::app()-\u003egetRequest()-\u003egetParam(\u0027files\u0027)));\n\n// After (fixed)\n$file = Mage::app()-\u003egetConfig()-\u003egetTempVarDir() . \u0027/import/\u0027\n    . basename(urldecode(Mage::app()-\u003egetRequest()-\u003egetParam(\u0027files\u0027)));\n```\n\nUsing `basename()` ensures only the filename portion is used, completely preventing any path traversal regardless of the input pattern.\n\n## Workarounds\n\nIf immediate upgrade is not possible:\n\n1. **Restrict admin access**: Limit Dataflow access to trusted administrators only\n2. **Disable Dataflow**: If not in use, disable the Dataflow module entirely\n3. **Web Application Firewall**: Block requests containing path traversal patterns\n4. **File permissions**: Ensure the web server user has minimal filesystem permissions\n5. **Monitor admin activity**: Alert on suspicious Dataflow profile execution\n\n## Impact\n\nAn attacker with admin access can read sensitive files including:\n\n- `/etc/passwd` - System user information\n- `app/etc/local.xml` - Database credentials\n- `.env` files - Environment secrets\n- Log files - Potentially sensitive application data\n- Configuration files - Server and application configuration\n\n## Credit\n\nThis vulnerability was discovered and responsibly disclosed by [blackhat2013](https://hackerone.com/blackhat2013) through HackerOne.\n\n## Timeline\n\n- **2025-12-31**: Vulnerability reported via HackerOne\n- **2026-01-21**: Fix developed and tested",
  "id": "GHSA-6vqf-6fhm-7rc6",
  "modified": "2026-04-21T14:35:03Z",
  "published": "2026-04-21T14:35:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25525"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/pull/5445"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3482926"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenMage/magento-lts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.