Key Information Affected Versions Vendor: https://github.com/easysoft/zentaopms Version: 21.5_20250307 Vulnerability Description A path traversal vulnerability exists in the ZenTao editor component, allowing attackers to read arbitrary files on the system via the PHP wrapper protocol. The vulnerability resides in the method of the editor controller, where improper validation of file paths enables attackers to bypass security checks and exploit the wrapper. Vulnerability Details The affected code attempts to validate file paths by checking whether the path starts within the application's base path: Root causes of the vulnerability: 1. The parameter is base64-decoded using . 2. Security validation only checks if the file path starts with the application's base path. 3. PHP wrapper protocols (such as ) can bypass this check, as they do not start with the base path. 4. The application uses , which supports wrapper protocols, to read file contents. Exploitation Method Attackers can exploit this vulnerability by sending a request with a base64-encoded file path using the wrapper protocol: For example, is the base64 encoding of , allowing attackers to read sensitive system files. This vulnerability may enable attackers to: 1. Read sensitive system files (e.g., ) 2. Access application configuration files containing credentials 3. Retrieve source code of restricted files 4. Potentially achieve remote code execution via advanced exploitation techniques (e.g., PHAR deserialization) Mitigation Measures To fix this vulnerability, implement proper file path validation: 1. Block PHP wrapper protocols in file paths. 2. Implement a whitelist of allowed file extensions and directories. 3. Use secure file reading methods that do not support wrapper protocols. 4. Enforce proper input validation before processing file paths.