Wildfire hat Arbiträre Datei-Uploads über Directory Traversal in UploadFileAction

The vulnerability lies in the writeFileUploadData method within the com.xiaoleilu.loServer.action.UploadFileAction component. The application fails to properly sanitize filenames during file uploads, directly concatenating the configured storage directory with user-supplied filenames without removing directory traversal sequences like ../. This allows an attacker to craft a malicious filename that points outside the intended upload directory, potentially accessing system files, configuration data, or other sensitive information. The blast radius extends to any data stored on the server accessible by the application process. Exploitation could lead to complete system compromise if the attacker gains access to credentials or other critical system files.

Organizations using Wildfire IM Server in production environments, particularly those with publicly accessible file upload endpoints, are at risk. Environments with limited security controls or inadequate input validation are especially vulnerable. Shared hosting environments where multiple users share the same server instance could also be affected, as a compromised user account could potentially be used to exploit this vulnerability.

• linux / server: Monitor access logs for requests containing ../ sequences in the filename parameter during file uploads. Use grep to search for patterns like /fs?file=../ in the access logs.

grep '/fs?file=../' /var/log/apache2/access.log

• generic web: Use curl to attempt a file upload with a malicious filename and observe the server's response. Check for unexpected file access or errors.

curl -F "file=../../../../etc/passwd;" http://your-wildfire-server/fs

• generic web: Examine the server's file system for unexpected files appearing outside of the intended upload directory. Use file system auditing tools to track file creation and modification events.

1. 2026-02-02Disclosure

   disclosure

1. Reserviert2025-12-02
2. Veröffentlicht2026-02-02
3. Geändert2026-02-03
4. EPSS aktualisiert2026-03-23

The primary mitigation is to upgrade Wildfire IM Server to version 1.4.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in the filename parameter. Additionally, restrict file upload permissions to the minimum necessary and implement strict input validation on all user-supplied data. Regularly review and audit file upload configurations to prevent future vulnerabilities. After upgrade, confirm the fix by attempting a file upload with a malicious filename containing directory traversal sequences; the upload should be rejected.