Insecure path join to RCE via SSTI [CVE-2023-22855]

We discussed this vulnerability during Episode 187 on 13 February 2023

A path traversal type issue in Kardex MLOG due to not properly handling windows path separators. The service’s GetFilehandler would check for an /api and /image slug, and if neither were present it would fall back on trying to construct a filename. While it would strip forward slashes (/), it ignored windows backslash separators (\). Additionally, since Windows supports remote paths via \\, it was possible to include a remote file from an attacker.

Taking this to RCE was straightforward, as if the file extension was t4 it would pass it through the template engine and effectively result in a Server-Side Template Injection (SSTI). As the template engine supported C#, RCE was trivial.