OroPlatform vulnerable to path traversal during temporary file manipulations

Vulnerability

Details

CVE-2022-41951 is a path traversal vulnerability in OroPlatform, a PHP business application platform. The flaw exists in the Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName method. Because the method does not sanitize the $suggestedFileName parameter, an attacker can supply a path containing directory traversal sequences (e.g., ../) that points to a non-existent file. This allows writing arbitrary content to a new file, which will exist for the duration of the script execution [1][2].

Exploitation

An attacker must be able to control the $suggestedFileName parameter passed to getTemporaryFileName. This can be achieved through any application feature that accepts a user-supplied filename for temporary file creation. No authentication is explicitly mentioned as a prerequisite; however, the attacker generally needs some level of access to the application to trigger the vulnerable code path. The file is written to the filesystem and is available during the script's runtime [2].

Impact

A successful attack allows an attacker to write arbitrary content to an arbitrary location on the filesystem, subject to the web server's write permissions. Since the file is automatically deleted when the script ends, this vulnerability is primarily useful for storing temporary payloads or manipulating data during the same request. The impact depends on the application's context and what can be achieved with a transient file [1][2].

Mitigation

OroPlatform has fixed this vulnerability in version 5.0.9 by applying a patch that uses the basename() function to strip any path components from the suggested filename [1][2]. Users on affected versions (4.1.0–4.1.14, 4.2.0–4.2.11, 5.0.0–5.0.8) should upgrade immediately. As a temporary workaround, developers can decorate the FileManager service to clear the $suggestedFileName argument or apply the provided patch [2].