{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/code16/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sharp"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","php","code16/sharp"],"_cs_type":"advisory","_cs_vendors":["code16"],"content_html":"\u003cp\u003eThe code16/sharp package, a PHP framework component, is vulnerable to a path traversal flaw (CVE-2026-33686) affecting versions prior to 9.20.0. The vulnerability resides in the \u003ccode\u003eFileUtil\u003c/code\u003e class, specifically within the \u003ccode\u003eexplodeExtension()\u003c/code\u003e function, where the file extension is extracted without proper sanitization. This allows an authenticated attacker to inject path separators into the extension, bypassing the \u003ccode\u003enormalizeName()\u003c/code\u003e function, which only cleans the base filename. This vulnerability, reported by zaurgsynv, poses a significant risk as it allows for arbitrary file writes and potential overwrites of critical system files. The issue was addressed in pull request #715 by implementing proper extension sanitization using \u003ccode\u003epathinfo(PATHINFO_EXTENSION)\u003c/code\u003e and strict regex replacements.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker identifies the vulnerable \u003ccode\u003eFileUtil::explodeExtension()\u003c/code\u003e function in the code16/sharp package.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious filename with a path traversal sequence embedded within the file extension (e.g., \u0026quot;image.jpg/../../.env\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe crafted filename is submitted to the application through a file upload or similar functionality that utilizes the vulnerable \u003ccode\u003eFileUtil\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFileUtil::explodeExtension()\u003c/code\u003e function extracts the malicious extension (\u0026quot;jpg/../../.env\u0026quot;) without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enormalizeName()\u003c/code\u003e function is called, but it only cleans the base filename (\u0026quot;image\u0026quot;), leaving the malicious extension untouched.\u003c/li\u003e\n\u003cli\u003eThe unsanitized filename is passed to the \u003ccode\u003estoreAs()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estoreAs()\u003c/code\u003e function, using the attacker-controlled path, writes the file to an arbitrary location outside the intended temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully overwrites a critical file (e.g., \u0026quot;.env\u0026quot; or configuration file), potentially leading to code execution or information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe path traversal vulnerability (CVE-2026-33686) in the code16/sharp package allows authenticated attackers to manipulate file paths and potentially overwrite existing files. This can lead to arbitrary code execution if critical configuration files are overwritten, or sensitive information disclosure if the attacker gains access to files outside of the intended directory. While specific victim numbers are unavailable, successful exploitation could compromise entire applications built using the code16/sharp package, with a potential impact ranging from data breaches to complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecode16/sharp\u003c/code\u003e package to version 9.20.0 or later to remediate CVE-2026-33686.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts to exploit this path traversal vulnerability in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload and processing mechanisms in your applications to prevent path traversal attacks, even with patched libraries.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload requests containing path traversal sequences in filenames.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-sharp-path-traversal/","summary":"The code16/sharp package is vulnerable to path traversal due to improper sanitization of file extensions, allowing authenticated attackers to manipulate file paths to write files outside the intended temporary directory or overwrite critical files.","title":"code16/sharp Package Vulnerable to Path Traversal via Unsanitized File Extension","url":"https://feed.craftedsignal.io/briefs/2024-01-29-sharp-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Code16","version":"https://jsonfeed.org/version/1.1"}