CVE-2022-26276

Vulnerability

OneNav v0.9.14 contains a directory traversal vulnerability in index.php due to unsanitized controllable parameters being directly concatenated into file inclusion paths [1]. This allows an attacker to traverse directories and include arbitrary files from the server. The issue specifically enables the inclusion of PHP's native pearcmd.php, which can be abused to write malicious files to the webroot [1]. The vulnerability is present in the default installation without requiring special configuration.

Exploitation

An unauthenticated attacker with network access to the OneNav instance can send crafted HTTP requests to index.php with path traversal sequences (e.g., ../) in a parameter that controls file inclusion [1]. By targeting the PHP PEARCMD component at a known path, the attacker can inject PHP code into a request parameter that pearcmd.php writes to a file on disk [1]. No authentication or user interaction is required; only network access to the vulnerable endpoint is needed.

Impact

Successful exploitation leads to arbitrary file write, allowing an attacker to place a malicious PHP file (webshell) into the web-accessible directory [1]. This results in remote code execution (RCE) on the server with the privileges of the web server process. The attacker can then execute arbitrary commands, access or modify data, and potentially pivot to other systems. The confidentiality, integrity, and availability of the OneNav installation and underlying server are fully compromised.

Mitigation

As of the publication date (2022-03-12), there is no patched version of OneNav that fixes this vulnerability [1]. Users should monitor the repository for updates. Until a fix is available, the recommended workaround is to restrict network access to the OneNav instance or to disable the vulnerable functionality by modifying the application code to properly sanitize and validate file inclusion parameters. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of now.