CVE-2025-41073
📋 TL;DR
This path traversal vulnerability in TESI Gandia Integra Total version 4.4.2236.1 allows authenticated attackers to download ZIP files containing sensitive server files by manipulating the 'direstudio' parameter. Attackers can access files from parent directories using directory traversal sequences (e.g., ..\..\..). Organizations using this specific version of the software are affected.
💻 Affected Systems
- TESI Gandia Integra Total
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through extraction of sensitive configuration files, credentials, or database files leading to data breach and system takeover.
Likely Case
Unauthorized access to sensitive files containing configuration data, user information, or business data stored on the server.
If Mitigated
Limited access to non-critical files if proper file permissions and web server configurations restrict sensitive file access.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable endpoint. Directory traversal sequences must be properly crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.4.2236.1
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-gandia-integra-total-tesi
Restart Required: No
Instructions:
1. Contact TESI for updated version. 2. Apply patch/upgrade to version after 4.4.2236.1. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to reject directory traversal sequences in the 'direstudio' parameter
Modify comprimir.php to sanitize input: $direstudio = str_replace(['..', '\\', '/'], '', $_GET['direstudio']);
Access Control Restriction
allRestrict access to the vulnerable endpoint to authorized users only and implement additional authentication checks
Add authentication verification at the beginning of comprimir.php: if(!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) { die('Access denied'); }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing directory traversal patterns
- Restrict file system permissions for the web server user to limit access to sensitive directories
🔍 How to Verify
Check if Vulnerable:
Test the endpoint /encuestas/integraweb[_v4]/integra/html/view/comprimir.php with directory traversal sequences in the 'direstudio' parameter while authenticatedCheck Version:
Check software version in application interface or configuration filesVerify Fix Applied:
Attempt the same exploitation after patching - should receive error or no file download📡 Detection & Monitoring
Log Indicators:
- HTTP requests to comprimir.php with 'direstudio' parameter containing '..' sequences
- Unusual file download patterns from the application
Network Indicators:
- HTTP GET requests with encoded directory traversal patterns (%2e%2e%2f or similar)
- Multiple requests attempting different path traversal variations
SIEM Query:
source="web_logs" AND uri="*comprimir.php*" AND (query="*..*" OR query="*%2e%2e*")