CVE-2018-25421
Description
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated path traversal in Open STA Manager 2.3 allows arbitrary file download via the file parameter in backup actions.
Vulnerability
Open STA Manager version 2.3 [1] is vulnerable to a path traversal vulnerability in the modules/backup/actions.php script. An authenticated attacker can manipulate the file parameter in a GET request with op=getfile to traverse directories using ../ sequences, allowing access to files outside the intended directory [3].
Exploitation
An attacker must have valid authentication credentials to the Open STA Manager application. The attacker sends a crafted GET request to modules/backup/actions.php with parameters op=getfile and a file value containing path traversal sequences (e.g., ../../../../etc/passwd). No additional user interaction is required [3].
Impact
Successful exploitation allows the attacker to download arbitrary files from the server filesystem, including sensitive system files such as configuration files, password hashes, or application source code. This leads to information disclosure with high confidentiality impact [3].
Mitigation
As of the publication date, no official patch has been released by the vendor. The available references do not mention a fixed version or workaround [1][3]. Users should restrict network access to the vulnerable endpoint or consider upgrading if a future version addresses this issue.
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `file` parameter in `modules/backup/actions.php` allows directory traversal."
Attack vector
An authenticated attacker sends a GET request to `modules/backup/actions.php` with `op=getfile` and a `file` parameter containing `../` sequences. By traversing directories, the attacker can read arbitrary files on the server filesystem, such as configuration files or system secrets. The attack is network-accessible and requires only low-privilege authentication [ref_id=1].
Affected code
The vulnerability resides in `modules/backup/actions.php` when the `op=getfile` parameter is supplied. The `file` parameter is not sanitized, allowing directory traversal sequences (`../`) to escape the intended backup directory.
What the fix does
The advisory does not include a published patch. To remediate, the application must validate that the resolved path of the `file` parameter stays within an allowed base directory, rejecting any path containing `../` or other traversal sequences. Without such validation, an authenticated user can escape the intended directory and read arbitrary files [ref_id=1].
Preconditions
- authAttacker must have a valid authenticated session on the Open STA Manager application.
- networkThe application must be reachable over the network.
- inputThe `file` parameter must accept user-controlled input without sanitization.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.