Listen to this Post
The vulnerability exists in the Dataflow module of OpenMage LTS versions prior to 20.16.1. When an administrator imports a file via the `files` parameter, the code attempts to sanitize path traversal using str_replace('../', '', $input). This function performs only a single pass, making it trivial to bypass. An attacker can supply patterns like `…/./` which after replacement becomes `../` because the inner `../` is removed but the surrounding dots and slashes reform the traversal. Similarly, `….//` becomes `../` after removing the middle ../. By chaining these patterns, e.g., ..././..././..././etc/passwd, the filter outputs ../../../etc/passwd. The final path concatenates with var/import/, leading to /etc/passwd. The vulnerability requires admin authentication, but once an attacker has admin access (via compromised credentials or social engineering), they can navigate to System > Import/Export > Dataflow Profiles, set the `files` parameter to a bypass payload, and run the profile. The server then reads and returns arbitrary files. The affected code resides in `app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php` line 67 and `Xml/Excel.php` line 63. The fix replaces `str_replace()` with basename(), which extracts only the filename component, eliminating any directory traversal regardless of input.
dailycve form:
Platform: OpenMage LTS
Version: <20.16.1
Vulnerability: Path traversal
Severity: Critical
date: 2026-01-21
Prediction: Patch 2026-01-21
What Undercode Say:
Analytics
bash commands and codes:
Check vulnerable version
php -r “include ‘app/Mage.php’; echo Mage::getVersion();”
Test bypass with curl
curl -k “https://target.com/admin/system_convert_gui/run/id/1/?files=…/./…/./…/./etc/passwd” -u admin:pass
Monitor Dataflow requests
grep “system_convert_gui/run” /var/log/apache2/access.log | grep “files=.\.\.”
Exploit:
POST /admin/system_convert_gui/run/id/1/ HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: admin=1
files=…/./…/./…/./app/etc/local.xml
Protection from this CVE
- Upgrade to OpenMage LTS >=20.16.1
- Apply patch: replace str_replace with basename in both parser files
- Restrict admin IPs and use MFA
- Disable Dataflow module via app/etc/modules/Mage_Dataflow.xml
Impact:
Read /etc/passwd, app/etc/local.xml (DB credentials), .env, logs, and any system file accessible to the web server user. Leads to full server compromise if secrets are exposed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

