An interesting look at an overlooked vulnerability, client-side path traversal. A client-side path traversal is when the path traversal attack lands on the client side rather than the more traditional attack against server-side files.

In this case, we have Acronis which allows for users to specify a color scheme to use as a url parmater. The application then reads that parameter in JavaScript and tries to fetch the theme.{color_scheme_value}.css file. In doing so, it does not sanitize the color_scheme at all, so any directory traversals will be included and resolved when the request is made allowing this request to hit other endpoints, but not other domains.

The author combines this with an open redirect issue where on the callback URL being executed it will redirect based on the state value. So if a victim is logged in with the oauth identity provider, when they access the page with the vulnerable color_scheme, it will attempt to load the CSS file, path traversal taking it to the oauth redirect, the oauth provider redirecting it back to the legitimate callback URL, and the callback redirecting to the attacker controlled location. Ultimately loading attacker controlled CSS which can be used for exfiltration.