VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 8, 2023· Updated Feb 13, 2025

Thruk has Path Traversal Vulnerability in panorama.pm

CVE-2023-34096

Description

Thruk monitoring web interface 3.06 and prior allow authenticated path traversal via the panorama.pm plugin, enabling arbitrary file upload to writable directories.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Thruk monitoring web interface 3.06 and prior allow authenticated path traversal via the panorama.pm plugin, enabling arbitrary file upload to writable directories.

Vulnerability

CVE-2023-34096 is a path traversal vulnerability in Thruk, a multibackend monitoring web interface supporting Naemon, Icinga, Shinken, and Nagios. The flaw resides in the panorama.pm plugin file (within the plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm path) [2]. Affected versions are Thruk 3.06 and all earlier releases [1][2][4]. The location parameter, which controls the destination folder for uploaded background images in the Dashboard feature, is not filtered, validated, or sanitized [2][4]. An attacker must be authenticated to reach the vulnerable code path [2][4].

Exploitation

An attacker with valid authentication can exploit the vulnerability by intercepting a legitimate image upload request (e.g., via Burp Suite) and modifying the location parameter to include path traversal sequences such as ../ [1][2][4]. The unsanitized location value is concatenated with the filename, and the resulting path is used to move the uploaded file via a move_uploaded_file operation [2][4]. No special privileges beyond standard user access are required; the attacker only needs a writable target directory on the filesystem.

Impact

Successful exploitation allows a remote authenticated attacker to upload arbitrary files (with allowed extensions, e.g., image files) to any folder on the system that has write permissions [1][2][4]. This could lead to unauthorized file writes, potentially enabling code execution (e.g., by overwriting a Perl module or configuration file) or denial of service. The exact CIA impact depends on the target directory and the attacker's objectives.

Mitigation

The vulnerability is fixed in Thruk version 3.06.2, released after the disclosure [1][2][3]. Users should upgrade immediately to 3.06.2 or later [2][3]. No workarounds are available in the references; however, restricting write permissions on sensitive directories and monitoring file upload logs may reduce risk. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2][4].

References
  1. OffSec’s Exploit Database Archive
  2. Path Traversal Vulnerability in panorama.pm
  3. update changelog · sni/thruk@26de047
  4. CVE-2023-34096: Path Traversal Vulnerability in Thruk Monitoring Web Interface

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation and sanitization of the `location` parameter in `panorama.pm` allows path traversal sequences to escape the intended upload directory."

Attack vector

An attacker with a valid Thruk session (authenticated user) can exploit the dashboard background image upload form. The attacker intercepts the upload request with a tool like Burp Suite and modifies the `location` parameter — normally set to `backgrounds/` — to include path traversal sequences such as `backgrounds/../../../../tmp/` [ref_id=1][ref_id=3]. Because the `location` parameter is not filtered, validated, or sanitized, the file is written to the attacker-chosen directory. The only characters required for the traversal are the dot (`.`) and the slash (`/`) [ref_id=3].

Affected code

The vulnerable code is in `plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm`, specifically in the `_task_upload` subroutine. The `$location` parameter is taken directly from the client request and concatenated with the user content folder path without any sanitization or validation [ref_id=1][ref_id=3]. The patch was applied to the same file, adding folder validation using `abs_path` from the `Cwd` module [ref_id=4].

What the fix does

The patch in commit `cf03f67621b7bb20e2c768bc62b30e976206aa17` resolves the vulnerability by resolving both the user content folder and the target folder to their absolute paths using `abs_path()` and then checking that the target path starts with the user content folder path [ref_id=4]. If the target is not a subfolder of the user content folder, the upload is rejected with an error message. This prevents path traversal sequences from escaping the intended directory. The changelog entry in commit `26de047275c355c5ae2bbbc51b164f0f8bef5c5b` notes the fix as "fix folder validation (CVE-2023-34096)" [ref_id=2].

Preconditions

  • authAttacker must have a valid authenticated session in Thruk
  • networkAttacker must have network access to the Thruk web interface
  • configThe target directory must have write permissions for the web server user
  • inputAttacker must upload a file with an allowed extension (image file)

Reproduction

1. Log in to Thruk and navigate to the dashboard background image upload form. 2. Select any file with an allowed extension and intercept the upload request with Burp Suite. 3. Modify the `location` parameter from `backgrounds/` to `backgrounds/../../../../tmp/`. 4. Forward the request. A success message is returned. 5. Verify the file appears in `/tmp/` on the server [ref_id=1][ref_id=3].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.