CVE-2022-38975

The advisory describes a directory traversal vulnerability in EC-CUBE [ref_id=1]. An attacker can supply a filename or path containing `..` sequences (e.g., `../../etc/passwd`). Because the affected methods did not reject such sequences before resolving the path with `realpath()`, an attacker could probe for the existence of directories outside the intended base directory by observing response differences. The risk is rated low by the vendor, and no authentication bypass is required for the traversal itself.

The vulnerability affects three files: `src/Eccube/Controller/Admin/Content/FileController.php`, `src/Eccube/Controller/Admin/Setting/Shop/PaymentController.php`, and `src/Eccube/Form/Type/Admin/ProductType.php` in EC-CUBE 4.0.0 to 4.1.2. The `checkDir()` method in `FileController.php` lacked a check for `..` characters before calling `realpath()`, and similar path traversal guards were missing in `PaymentController.php` and `ProductType.php` [ref_id=1].

The fix adds checks for `..` sequences in three locations. In `FileController.php::checkDir()` a `strpos($targetDir, '..') !== false` guard returns false early, preventing traversal before `realpath()` is called. In `PaymentController.php` the same `strpos($file, '..') === false` condition is added to the existing file-existence check, so filenames containing `..` are rejected. In `ProductType.php::validateFilePath()` a new loop checks each filename for `..` and sets a form error if found. These changes ensure that user-supplied path components cannot escape the intended base directory [ref_id=1].