Path Traversal in plankanban/planka
Aug 2nd 2022
/attachments/:id/download/thumbnails/:filename endpoint, an authenticated user can access any arbitrary file in the system through a path traversal vulnerability in the
filename parameter is not sanitized and its used to craft the path of the target file. Using the encoded value of the slash character
%2F allows to traverse to any directory the attacker wants, and read any file.
Proof of Concept
- 1 - Log in and get a
idof a project that has at least one image. If no image is available upload a new one.
- 2 - Sending the following request allows to read the contents of the
With this vulnerability an attacker can read many sensitive files like configuration files, or the
/proc/self/environ file, that contains the environment variable used by the web server that includes database credentials. If the web server user is root, an attacker will be able to read any file in the system.