CVE-2018-25421 Overview
CVE-2018-25421 is a path traversal vulnerability in Open STA Manager (OpenStamanager) 2.3. The flaw resides in modules/backup/actions.php, where the file parameter passed alongside op=getfile is not validated against directory traversal sequences. Authenticated users can send crafted GET requests containing ../ sequences to read arbitrary files from the underlying server filesystem. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Authenticated attackers can download arbitrary files from the host filesystem, exposing configuration files, credentials, and sensitive business data managed by OpenStamanager.
Affected Products
- OpenStamanager 2.3
- Web-based business management deployments using the affected backup module
- Self-hosted installations sourced from the OpenStamanager Project Homepage and SourceForge distribution
Discovery Timeline
- 2026-05-30 - CVE-2018-25421 published to NVD
- 2026-06-01 - Last updated in NVD database
- A public proof-of-concept is indexed as Exploit-DB #45693, and the issue is documented in the VulnCheck Advisory
Technical Details for CVE-2018-25421
Vulnerability Analysis
The vulnerability lives in the backup module endpoint modules/backup/actions.php. When the endpoint receives op=getfile, it reads the file query parameter and returns the requested file to the client. The application fails to canonicalize the path or restrict reads to the intended backup directory. An authenticated user can substitute the expected backup filename with a traversal payload to climb outside the backup root and reach files anywhere the PHP process can read.
Because the read happens server-side and the response streams file contents directly to the requester, the bug functions as an arbitrary file download primitive. Successful exploitation does not require chaining with another flaw; a single GET request returns the targeted file.
Root Cause
The root cause is missing input validation on the file parameter. The handler concatenates user input into a filesystem path without rejecting ../ sequences, absolute paths, or null-byte tricks, and without enforcing an allow-list of legitimate backup filenames. This is a textbook CWE-22 defect.
Attack Vector
Exploitation requires network access to the OpenStamanager web interface and a valid authenticated session. The attacker issues a GET request to modules/backup/actions.php?op=getfile&file= followed by a traversal sequence pointing at a target such as ../../config.inc.php or system files readable by the web server. The server responds with the raw file contents. Targets of interest include OpenStamanager configuration files containing database credentials, web server configuration, and operating system files such as /etc/passwd. Technical reproduction steps are available in the Exploit-DB entry.
Detection Methods for CVE-2018-25421
Indicators of Compromise
- HTTP access log entries containing the substring modules/backup/actions.php combined with op=getfile and any ../ or URL-encoded %2e%2e%2f sequence in the file parameter
- Requests to the getfile action where the file value references paths outside the backup directory or known system files such as config.inc.php, /etc/passwd, or .env
- Unexpected outbound data volume from the OpenStamanager host correlated with authenticated sessions
Detection Strategies
- Inspect web server and application logs for op=getfile requests and alert on any file parameter containing .., %2e, backslashes, or absolute path prefixes
- Deploy a web application firewall rule that blocks path traversal patterns against the /modules/backup/actions.php endpoint
- Correlate authentication events with file download activity to surface low-privilege accounts pulling large volumes of files
Monitoring Recommendations
- Forward OpenStamanager and reverse-proxy access logs to a centralized SIEM or data lake for retention and pattern matching
- Track read access to OpenStamanager configuration files and PHP source files at the host filesystem level using file integrity monitoring
- Alert on authenticated sessions issuing repeated getfile requests in short windows, which indicates automated enumeration
How to Mitigate CVE-2018-25421
Immediate Actions Required
- Upgrade OpenStamanager to a version later than 2.3 that addresses the traversal in modules/backup/actions.php
- Restrict access to the OpenStamanager web interface to trusted networks or VPN users until patching is complete
- Audit account inventory and disable unused or shared accounts that could be abused to reach the authenticated endpoint
- Review web server logs for prior exploitation attempts targeting the getfile action
Patch Information
Review the OpenStamanager Project Homepage and the SourceForge download page for the latest release. Apply the most recent stable version and validate that modules/backup/actions.php canonicalizes user-supplied filenames and constrains reads to the backup directory. Additional technical context is available in the VulnCheck Advisory.
Workarounds
- Block requests containing .., %2e%2e, or absolute paths in the file query parameter at the reverse proxy or WAF
- Deny external access to /modules/backup/ at the web server layer and limit it to administrative source IP addresses
- Reduce filesystem exposure by running the PHP-FPM or web server worker under a least-privilege account that cannot read sensitive system files
# Example nginx rule blocking traversal against the vulnerable endpoint
location ~* /modules/backup/actions\.php$ {
if ($arg_file ~* "(\.\./|%2e%2e|^/)") {
return 403;
}
# Optional: restrict to admin networks
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
