CVE-2025-60915
📋 TL;DR
This vulnerability allows attackers to perform path traversal attacks via the size query parameter in Openatlas's /views/file.py endpoint. Attackers can potentially read arbitrary files on the server, including sensitive configuration files. All Openatlas installations before version 8.12.0 are affected.
💻 Affected Systems
- Austrian Archaeological Institute Openatlas
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files (database credentials, API keys, secrets) leading to data exfiltration, privilege escalation, or further attacks.
Likely Case
Exfiltration of configuration files containing database credentials or other sensitive information, potentially leading to data breaches.
If Mitigated
Limited file access restricted by proper input validation and file system permissions, preventing access to critical system files.
🎯 Exploit Status
The vulnerability requires only a crafted HTTP request to the vulnerable endpoint. Public proof-of-concept details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.12.0
Vendor Advisory: https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-lfi-konfigurationsdatei-exfiltration/
Restart Required: Yes
Instructions:
1. Backup your Openatlas installation and database. 2. Download Openatlas version 8.12.0 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the web server/service. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to reject path traversal sequences in the size parameter
Modify /views/file.py to sanitize the size parameter using path normalization and validation
Web Application Firewall Rule
allBlock requests containing path traversal patterns in query parameters
Add WAF rule to detect and block patterns like ../, ..\, %2e%2e%2f in query strings
🧯 If You Can't Patch
- Implement strict web application firewall rules to block path traversal patterns in all requests
- Restrict file system permissions for the Openatlas application user to limit accessible directories
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to /views/file.py with a size parameter containing path traversal sequences (e.g., size=../../../etc/passwd) and checking if sensitive files are returned.Check Version:
Check the Openatlas version in the application interface or configuration files, or run: python -c "import openatlas; print(openatlas.__version__)" if availableVerify Fix Applied:
After patching, repeat the vulnerable request and verify that path traversal attempts are blocked or return error responses instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /views/file.py with suspicious size parameters containing ../, ..\, or encoded equivalents
- Unusual file access patterns from the web application user
Network Indicators:
- HTTP requests with path traversal patterns in query parameters
- Unusual outbound data transfers following file read attempts
SIEM Query:
source="web_server" AND uri_path="/views/file.py" AND (query_string="*../*" OR query_string="*..\\*" OR query_string="*%2e%2e%2f*")