CVE-2020-35362

Vulnerability

DEXT5Upload versions 2.7.1262310 and earlier are affected by a directory traversal vulnerability in the handler/dext5handler.jsp endpoint. The dext5handler.jsp does not properly validate the fileVirtualPath parameter when processing a downloadRequest action (via dext5CMD=downloadRequest). An attacker can supply path traversal sequences (e.g., ../) in fileVirtualPath to read arbitrary files from the server's filesystem. The attacker must also provide the correct fileOrgName value corresponding to the target file. [1]

Exploitation

An attacker must be able to send HTTP requests to the vulnerable DEXT5Upload endpoint. No authentication is required. The attacker crafts a POST or GET request to handler/dext5handler.jsp with parameters dext5CMD=downloadRequest, fileVirtualPath containing directory traversal sequences (e.g., ../../../../etc/passwd), and fileOrgName set to the expected filename (e.g., passwd). The server then returns the contents of the requested file. [1]

Impact

Successful exploitation allows an unauthenticated attacker to download arbitrary files from the server, leading to information disclosure. This can expose sensitive configuration files, source code, credentials, or other data stored on the server's file system. The attacker gains read access to files outside the intended upload directory.

Mitigation

As of the publication date (2020-12-26), no official patch has been released. Users should upgrade to a version newer than 2.7.1262310 if available, or apply input validation to the fileVirtualPath parameter to reject path traversal sequences. Alternatively, restrict access to the dext5handler.jsp endpoint via web server configuration or firewall rules. [1]