Critical Convoy Vulnerability Allows Remote Code Execution on Servers

A critical directory traversal vulnerability has been discovered in Performave Convoy’s LocaleController component, enabling unauthenticated remote attackers to execute arbitrary code on affected servers.

The security vulnerability, tracked as GHSA-43g3-qpwq-hfgg and disclosed by researcher ericwang401 five days ago, impacts all Convoy installations running versions 3.9.0-rc.3 through 4.4.0.

The vulnerability allows attackers to manipulate locale and namespace parameters in HTTP requests to include and execute malicious PHP files, potentially granting complete control over targeted application servers.

The directory traversal vulnerability resides within Convoy’s LocaleController, a component responsible for handling internationalization features.

Attackers can exploit this vulnerability without authentication by crafting malicious HTTP requests containing specially designed locale and namespace parameters.

The vulnerability stems from insufficient input validation and sanitization of user-controlled parameters, allowing attackers to traverse the file system beyond intended boundaries.

The attack mechanism involves manipulating these parameters to reference files outside the application’s designated locale directory structure.

By leveraging path traversal techniques, attackers can force the application to include arbitrary PHP files from anywhere on the server’s file system.

Once included, these files execute within the application’s context, providing attackers with the same privileges as the web server process.

This fundamental security weakness transforms what should be a benign localization feature into a powerful attack vector for system compromise.

Convoy Vulnerability

The vulnerability’s impact extends far beyond simple unauthorized access, presenting a critical threat to organizational security. The key impacts include:

• Remote Code Execution (RCE): Successful exploitation grants attackers administrative control over the entire application server, allowing them to:
• Install backdoors for persistent access.
• Modify application logic and functionality.
• Execute system commands with web server privileges.
• Potentially pivot to other systems within the network infrastructure.
• Information Disclosure: Attackers can leverage directory traversal capabilities to access sensitive files:
• .env configuration files containing database credentials.
• API keys and authentication tokens.
• Encryption secrets and security certificates.
• Other critical system configuration data.
• Affected System Scope: All Performave Convoy installations running versions from 3.9.0-rc.3 through 4.4.0 are vulnerable to this attack.
• Amplified Risk: Given Convoy’s role as a panel management system, compromised instances could affect:
• Multiple hosted services and applications.
• Entire hosting environments.
• Connected databases and external services.
• Integrated third-party applications.

Mitigations

Convoy developers have addressed the vulnerability in version 4.4.1, and all users are strongly urged to upgrade immediately.

The patch implements proper input validation and sanitization mechanisms to prevent directory traversal attacks through the affected parameters.

Organizations should prioritize this update due to the critical nature of the vulnerability and the ease of exploitation.

For environments where immediate patching is not feasible, temporary mitigation can be achieved through strict Web Application Firewall (WAF) rules.

These rules should enforce specific validation criteria: the locale parameter must contain exactly “en_US en” if present, while the namespace parameter must exclude directory traversal sequences like “..” (including URL-encoded variants), contain only alphanumeric characters, underscores, periods, and spaces, and maintain a length between 1 and 191 characters.

However, organizations should treat WAF rules as temporary measures only, as upgrading to the patched version remains the sole officially recommended solution for complete vulnerability remediation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.