Security Vulnerability Report: Scada-LTS Zip Slip Arbitrary File Write Summary Scada-LTS is vulnerable to a Zip Slip style path traversal in its project import functionality. By providing a crafted ZIP archive, an authenticated administrator can coerce the server into writing attacker-controlled files outside of the intended and directories. The issue stems from insufficient normalization and validation in combined with permissive path checks in and . Successful exploitation enables arbitrary file overwrite anywhere beneath (typically the Tomcat base directory). An attacker can deface the user interface, plant malicious SVGs for stored XSS, or otherwise persistently modify resources that are delivered to other users. Product & Versions Product: Scada-LTS () Affected versions: all releases prior to and including commit 1cfac44b35117e4871bc3dfe0a73f61688e3bb33 Fixed version: Not yet fixed Vulnerability Details Root Cause Analysis 1. iterates over each ZIP entry during import and delegates filtering to before calling . 2. (line 179) writes the file without further checks if the optional result is present. 3. constructs an absolute path via . When the provided path contains traversal segments (e.g., ), the function simply concatenates the input to before returning, allowing traversal to any location under that base directory. 4. The checks in rely on and do not mitigate directory traversal. Proof of Concept 1. Authenticate to Scada-LTS as an administrator. 2. Create a ZIP archive with a payload file beyond the intended directory: 3. In the web UI, navigate to and upload . 4. After import, inspect . The original file is overwritten with the attacker-controlled image, demonstrating arbitrary file write under . Impact Persistent defacement or phishing by replacing UI assets. Potential stored XSS if a malicious SVG is placed in a web-accessible path. Facilitates additional exploitation by overwriting configuration, template files, or other static resources delivered to operators. Remediation Guidance 1. Treat all ZIP entry names as untrusted input. After resolving the canonical path ( ), ensure it starts with the intended or base directory before writing. 2. Harden / to reject traversal tokens ( , absolute paths, drive letters) rather than blindly accepting results. 3. Optionally maintain an explicit whitelist of permissible subdirectories and file types. Credits Discovered by sh7err@vEcho.