background

CVE-2026-41465: Path Traversal via dynamicDialog.php

Published 24 avril 2026
CVSS 7.1
ProjeQtor
ProjeQtor
From 7.0 to 12.4.4
Executive summaryThe application allows log file access via the logname parameter in /tool/dynamicDialog.php, but lacks proper validation. This enables Path Traversal (e.g., ../), allowing attackers to access files outside the intended directory. The only restriction is the .log extension, making filesystem traversal possible.

Description

The application exposes a feature that allows viewing log files via the logname parameter of the /tool/dynamicDialog.php endpoint.

The controls applied to this parameter are insufficient and do not prevent Path Traversal sequences (e.g., ../). As a result, an attacker can manipulate this parameter to access files located outside the originally intended directory.

Analysis shows that the only effective constraint appears to be related to the file extension (.log), without strict path validation, allowing traversal of the filesystem hierarchy.

Attack Vectors

  • Network access: Remote
  • Authentication required: Low
  • User interaction: None required
  • Affected parameter: File Path
  • Triggered by injecting traversal sequences (../, %2e%2e%2f, %252e%252e%252f) into the parameter

Steps to Reproduce (PoC)

A crafted HTTP request can exploit this vulnerability by injecting directory traversal sequences:

CodePOST /tool/dynamicDialog.php?dialog=dialogLogfile&isIE=&logname=test/../../../../../log/dpkg.log&csrfToken=... HTTP/1.1
Host: stirling.local:8080

In this example:

  1. The logname parameter is modified to include ../../../../../, allowing escape from the expected directory.
  2. The target file /log/dpkg.log becomes accessible, despite being outside the authorized scope.

Tests confirm that it is possible to access any file ending with .log, provided its path on the system is known or can be guessed.

Impact

  • Unauthorized access to sensitive files (application logs, system logs, etc.)
  • Disclosure of critical information (internal paths, errors, user data)
  • Facilitation of further attacks (reconnaissance, privilege escalation)

Possible Mitigation

  • Strict path validation:
    • Block any occurrence of ../ or similar sequences
    • Use a whitelist of allowed files
    • Resolve the real path using realpath() and ensure it belongs to the authorized directory: 
      Code$baseDir = '/var/www/logs/';
$filePath = realpath($baseDir . $userInput);
if ($filePath === false || strpos($filePath, $baseDir) !== 0) {
	die('Unauthorized access');
}

Authors

© 2023 Yassine Damiri. All Rights Reserved.
AboutPrivacy PolicyContact