Security Advisory
4D Unauthenticated File Disclosure
Path traversal vulnerability in the 4D caching system allows unauthenticated access to arbitary files.
CVE: requested
CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Severity: high
Affected versions: tested on 4D 20 R7 (File Version 20.7.100.311), older versions are probably also affected.
Fixed versions: 4D 20 R8 final (build 100333), 4D 20 LTS(build 101802), 4D 20.7 LTS (build 101824)
Discovered by: Hans-Martin Münch, Frederic Linn
Product description
4D is a plattform to develop database based applications. To quote the web site:
Find out how to quickly and simply design and develop powerful business apps for the Web, the mobile as well as for macOS and Windows.
Details
When creating a connection using the 4D binary protocol, compressed resources (like “Components” or “Plugins”) are downloaded from the 4D server and stored in a local cache inside the “AppData” directory on Windows. During this update process, the 4D server sends an overview of the existing files within the cache directory, the 4D client tries to download each of these files by requesting the specific filename.
The 4D server uses the client-provided filename without further validation to create the file path for the file that should be sent to the client. By using ..\\ sequences within the filename, it is possible to download files outside of the Cache directory.
Please note that this was only tested on Windows systems, however we assume that Mac based 4D servers are also affected.
Workarounds
None
Coordinated Disclosure Timeline
- 25/03/2025 Using the 4D contact form to request a technical contact
- 26/03/2025 Response from 4D contact, asking for details, which will be forwarded
- 27/03/2025 Sending details to 4D
- 24/05/2025 Requesting update from 4D
- 25/05/2025 Response from 4D, listing the fixed versions
- 25/05/2025 Advisory release