OpenMage LTS, Path Traversal, (no CVE) (Critical)

Listen to this Post

The vulnerability exists in the Dataflow module of OpenMage LTS versions prior to 20.16.1. When an administrator imports a file via the `files` parameter, the code attempts to sanitize path traversal using str_replace('../', '', $input). This function performs only a single pass, making it trivial to bypass. An attacker can supply patterns like `…/./` which after replacement becomes `../` because the inner `../` is removed but the surrounding dots and slashes reform the traversal. Similarly, `….//` becomes `../` after removing the middle ../. By chaining these patterns, e.g., ..././..././..././etc/passwd, the filter outputs ../../../etc/passwd. The final path concatenates with var/import/, leading to /etc/passwd. The vulnerability requires admin authentication, but once an attacker has admin access (via compromised credentials or social engineering), they can navigate to System > Import/Export > Dataflow Profiles, set the `files` parameter to a bypass payload, and run the profile. The server then reads and returns arbitrary files. The affected code resides in `app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php` line 67 and `Xml/Excel.php` line 63. The fix replaces `str_replace()` with basename(), which extracts only the filename component, eliminating any directory traversal regardless of input.

dailycve form:

Platform: OpenMage LTS
Version: <20.16.1
Vulnerability: Path traversal
Severity: Critical
date: 2026-01-21

Prediction: Patch 2026-01-21

What Undercode Say:

Analytics

bash commands and codes:

Check vulnerable version

php -r “include ‘app/Mage.php’; echo Mage::getVersion();”

Test bypass with curl

curl -k “https://target.com/admin/system_convert_gui/run/id/1/?files=…/./…/./…/./etc/passwd” -u admin:pass

Monitor Dataflow requests

grep “system_convert_gui/run” /var/log/apache2/access.log | grep “files=.\.\.”

Exploit:

POST /admin/system_convert_gui/run/id/1/ HTTP/1.1

Host: target.com

Content-Type: application/x-www-form-urlencoded

Cookie: admin=1

files=…/./…/./…/./app/etc/local.xml

Protection from this CVE

  • Upgrade to OpenMage LTS >=20.16.1
  • Apply patch: replace str_replace with basename in both parser files
  • Restrict admin IPs and use MFA
  • Disable Dataflow module via app/etc/modules/Mage_Dataflow.xml

Impact:

Read /etc/passwd, app/etc/local.xml (DB credentials), .env, logs, and any system file accessible to the web server user. Leads to full server compromise if secrets are exposed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top