Skip to content

OpenFlights Insecure Temporary File vulnerability in import.php

Moderate
jpatokal published GHSA-hq94-gm7j-7cmc Aug 22, 2024

Package

composer jpatokal/openflights (Composer)

Affected versions

<20240822

Patched versions

20240822

Description

Summary

Insecure Temporary File vulnerability in php/import.php allows remote attackers to read users' private flight data from the temporary files.

Details

The uploaded flight data is persistently stored in a "temporary" file that is visible to everyone if the filename is known. The filename is displayed to the user, and the user is encouraged to post the filename in public:

openflights/php/import.php

Lines 336 to 339 in f53e452

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadFile)) {
echo "<b>" . _("Upload successful. Parsing...") . "</b><br><h4>" . _("Results") . "</h4>";
flush();
print "Tmpfile <tt>" . basename($_FILES['userfile']['tmp_name']) . "</tt><br>"; // DEBUG

openflights/faq.php

Line 140 in f53e452

<p><?php echo _("If anything else goes wrong during importing, or if a current airline is being mapped wrong, it's a bug and we'd like to know about it. <a href=\"/about\">Drop us a line</a>, tell us exactly what went wrong, and (this is important) <i>give the \"Tmpfile\" value from the top of the import page</i>, so we can replicate it."); ?></p>

The filename is relatively short so it is also possible to use brute-force to find the filenames.

PoC

A user posted their tmpfile name in an issue #1443, and it can be downloaded at https://openflights.org/import/php35doLd.

Impact

Attackers can access users' private flight data by searching for "tmpfile" in public issues, or brute-forcing the filename.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

No known CVE

Weaknesses

Credits