📄 InvoicePlane 1.6.3 Path Traversal

# CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2026-23491](https://nvd.nist.gov/vuln/detail/CVE-2026-23491) |
    | **Severity** | CRITICAL |
    | **Advisory** | [View Advisory](https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **InvoicePlane/InvoicePlane**
    
    
    
    ## Details
    
    ### Summary
    A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane v1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials.
    
    ### Details
    The vulnerability is located in the `application/modules/guest/controllers/Get.php` file, specifically within the `get_file` function.
    
    The function accepts a `$filename` parameter directly from the URL. It performs `urldecode($filename)` but fails to sanitize the input for directory traversal sequences (e.g., `../`). The sanitized filename is then concatenated with a base directory (`$this->targetPath`, which maps to `uploads/customer_files/`) and passed to the `readfile()` function.
    
    **Vulnerable Code Snippet:**
    ```php
    public function get_file($filename): void
    {
        $filename = urldecode($filename);
        if ( ! file_exists($this->targetPath . $filename)) {
            $ref = isset($_SERVER['HTTP_REFERER']) ? ', Referer:' . $_SERVER['HTTP_REFERER'] : '';
            $this->respond_message(404, 'upload_error_file_not_found', $this->targetPath . $filename . $ref);
        }
    
        // ... headers setting content type and disposition ...
    
        readfile($this->targetPath . $filename);
    }
    ```
    
    Because `$filename` is user-controlled and unchecked, an attacker can provide a string like `../../ipconfig.php` to break out of the intended directory.
    
    ### PoC
    The following cURL command demonstrates reading the `ipconfig.php` file (which resides two directories up from the default `uploads/customer_files/` directory):
    
    ```bash
    curl http://localhost/index.php/guest/get/get_file/..%2f..%2fipconfig.php
    ```
    
    <img width="1101" height="930" alt="image" src="https://github.com/user-attachments/assets/5b446157-b2e3-4428-b357-406bfcebc6f4" />
    
    
    **Expected Output:**
    The server responds with the content of `ipconfig.php`, which includes sensitive environment variables like `DB_PASSWORD` and `ENCRYPTION_KEY`.
    
    ### Impact
    
    Attackers can read the application configuration, source code, and potentially other files on the system readable by the web server user.
    
    ## References
    
    - https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc
    - https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.