CVE-2026-28429 Overview
CVE-2026-28429 is a Path Traversal vulnerability affecting Talishar, a fan-made Flesh and Blood online game project. The vulnerability exists in the gameName parameter within the ParseGamestate.php component. While the application's primary entry points implement input validation, the ParseGamestate.php script can be accessed directly as a standalone component. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access on the server.
Critical Impact
This Path Traversal vulnerability allows unauthenticated remote attackers to read arbitrary files from the server by manipulating the gameName parameter, potentially exposing sensitive configuration files, source code, and system data.
Affected Products
- Talishar (all versions prior to commit 6be3871)
- Talishar ParseGamestate.php component
Discovery Timeline
- 2026-03-06 - CVE-2026-28429 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-28429
Vulnerability Analysis
This vulnerability falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The core issue stems from the ParseGamestate.php component's failure to validate the gameName parameter when accessed directly, bypassing the application's primary input validation mechanisms.
When processing requests, the vulnerable code constructs file paths by directly concatenating the user-supplied gameName parameter with directory paths like ./Games/ and /gamestate.txt. An attacker can craft malicious input containing directory traversal sequences (such as ../) to navigate outside the intended Games directory and access arbitrary files on the system.
The network-accessible nature of this vulnerability means attackers can exploit it remotely without authentication, potentially gaining access to sensitive files including configuration data, database credentials, and source code.
Root Cause
The root cause is the lack of input sanitization for the gameName parameter within the ParseGamestate.php script when accessed directly. While the application's main entry points validate user input, this standalone script does not perform its own validation checks, creating an exploitable bypass. The code directly uses the gameName value in file path construction without verifying that it contains only expected numeric game identifiers.
Attack Vector
This vulnerability is exploitable via the network through direct HTTP requests to the ParseGamestate.php endpoint. An attacker can manipulate the gameName parameter to include path traversal sequences, escaping the intended ./Games/ directory structure.
For example, an attacker could craft a request with a gameName value like ../../../etc/passwd to attempt reading sensitive system files. The lack of numeric validation allows non-numeric strings containing traversal sequences to be processed by the vulnerable file path construction logic.
// Security patch from commit 6be3871 - adds numeric validation
return explode(" ", $line);
}
+if(!is_numeric($gameName)) exit;
if(!isset($filename) || !str_contains($filename, "gamestate.txt")) $filename = "./Games/" . $gameName . "/gamestate.txt";
if(!isset($filepath)) $filepath = "./Games/" . $gameName . "/";
Source: GitHub Commit 6be3871
The patch adds a critical check using is_numeric() to ensure the gameName parameter contains only numeric characters, preventing directory traversal sequences from being processed.
Detection Methods for CVE-2026-28429
Indicators of Compromise
- HTTP requests to ParseGamestate.php containing ../ or encoded variants (%2e%2e%2f, ..%2f)
- Access logs showing direct requests to ParseGamestate.php with non-numeric gameName parameter values
- Unusual file access patterns in web server logs indicating attempts to read files outside the ./Games/ directory
- Error logs showing failed file access attempts to system paths like /etc/, /var/, or Windows system directories
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in the gameName parameter
- Deploy intrusion detection signatures for path traversal attacks targeting PHP applications
- Monitor web server access logs for requests containing directory traversal sequences or encoded path separators
- Use file integrity monitoring to detect unauthorized access to sensitive configuration files
Monitoring Recommendations
- Enable verbose logging for the ParseGamestate.php endpoint to capture all parameter values
- Configure alerts for anomalous access patterns to game state files outside expected directories
- Implement rate limiting on direct access to ParseGamestate.php to slow down enumeration attempts
- Review web server logs regularly for patterns indicative of path traversal exploitation attempts
How to Mitigate CVE-2026-28429
Immediate Actions Required
- Update Talishar to commit 6be3871 or later immediately
- Review web server access logs for evidence of prior exploitation attempts
- Implement WAF rules to block path traversal patterns as a defense-in-depth measure
- Restrict direct access to ParseGamestate.php if not required by application functionality
Patch Information
The vulnerability has been patched in Talishar commit 6be3871. The fix adds a numeric validation check for the gameName parameter, ensuring that only numeric values are accepted before file path construction. This effectively prevents directory traversal attacks by rejecting any input containing non-numeric characters.
For detailed patch information, refer to the GitHub Security Advisory GHSA-f386-xhcw-jrx8 and the commit changes.
Workarounds
- Implement WAF rules to block requests containing path traversal sequences (../, ..\, encoded variants) in the gameName parameter
- Restrict direct access to ParseGamestate.php using web server configuration, forcing all requests through the main application entry points
- Use .htaccess or equivalent configuration to deny direct access to internal PHP scripts
- Implement application-level input validation to ensure gameName contains only numeric characters
# Apache .htaccess example to restrict direct access to ParseGamestate.php
<Files "ParseGamestate.php">
Order deny,allow
Deny from all
# Allow only from localhost or trusted internal sources if needed
# Allow from 127.0.0.1
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
