<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sharp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/sharp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/sharp/feed.xml" rel="self" type="application/rss+xml"/><item><title>code16/sharp Package Vulnerable to Path Traversal via Unsanitized File Extension</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-sharp-path-traversal/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-sharp-path-traversal/</guid><description>The code16/sharp package is vulnerable to path traversal due to improper sanitization of file extensions, allowing authenticated attackers to manipulate file paths to write files outside the intended temporary directory or overwrite critical files.</description><content:encoded><![CDATA[<p>The code16/sharp package, a PHP framework component, is vulnerable to a path traversal flaw (CVE-2026-33686) affecting versions prior to 9.20.0. The vulnerability resides in the <code>FileUtil</code> class, specifically within the <code>explodeExtension()</code> function, where the file extension is extracted without proper sanitization. This allows an authenticated attacker to inject path separators into the extension, bypassing the <code>normalizeName()</code> function, which only cleans the base filename. This vulnerability, reported by zaurgsynv, poses a significant risk as it allows for arbitrary file writes and potential overwrites of critical system files. The issue was addressed in pull request #715 by implementing proper extension sanitization using <code>pathinfo(PATHINFO_EXTENSION)</code> and strict regex replacements.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker identifies the vulnerable <code>FileUtil::explodeExtension()</code> function in the code16/sharp package.</li>
<li>The attacker crafts a malicious filename with a path traversal sequence embedded within the file extension (e.g., &quot;image.jpg/../../.env&quot;).</li>
<li>The crafted filename is submitted to the application through a file upload or similar functionality that utilizes the vulnerable <code>FileUtil</code> class.</li>
<li>The <code>FileUtil::explodeExtension()</code> function extracts the malicious extension (&quot;jpg/../../.env&quot;) without proper sanitization.</li>
<li>The <code>normalizeName()</code> function is called, but it only cleans the base filename (&quot;image&quot;), leaving the malicious extension untouched.</li>
<li>The unsanitized filename is passed to the <code>storeAs()</code> function.</li>
<li>The <code>storeAs()</code> function, using the attacker-controlled path, writes the file to an arbitrary location outside the intended temporary directory.</li>
<li>The attacker successfully overwrites a critical file (e.g., &quot;.env&quot; or configuration file), potentially leading to code execution or information disclosure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The path traversal vulnerability (CVE-2026-33686) in the code16/sharp package allows authenticated attackers to manipulate file paths and potentially overwrite existing files. This can lead to arbitrary code execution if critical configuration files are overwritten, or sensitive information disclosure if the attacker gains access to files outside of the intended directory. While specific victim numbers are unavailable, successful exploitation could compromise entire applications built using the code16/sharp package, with a potential impact ranging from data breaches to complete system takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>code16/sharp</code> package to version 9.20.0 or later to remediate CVE-2026-33686.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect attempts to exploit this path traversal vulnerability in web server logs.</li>
<li>Review and harden file upload and processing mechanisms in your applications to prevent path traversal attacks, even with patched libraries.</li>
<li>Monitor web server logs for suspicious file upload requests containing path traversal sequences in filenames.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>web-application</category><category>php</category><category>code16/sharp</category></item></channel></rss>