Total.js Directory Traversal (CVE-2019-8903)
Description
Total.js framework versions prior to 3.2.4 contain a directory traversal vulnerability (CVE-2019-8903) that allows unauthenticated attackers to bypass path restrictions and access files outside the intended web root directory. By manipulating file paths in HTTP requests using special character sequences (such as '../'), attackers can read arbitrary files on the server's filesystem, potentially exposing sensitive configuration files, source code, credentials, and other confidential data.
Remediation
Immediately upgrade Total.js framework to version 3.2.4 or later, which contains fixes for this directory traversal vulnerability. Follow these steps:
1. Update the Total.js dependency in your package.json file to version 3.2.4 or higher
2. Run 'npm update total.js' or 'npm install total.js@latest' to install the patched version
3. Test the application thoroughly to ensure compatibility with the updated framework
4. Review server logs for any suspicious file access patterns that may indicate prior exploitation
5. As an additional security measure, implement proper file access controls and input validation to restrict file paths to intended directories only
If immediate upgrade is not possible, implement a web application firewall (WAF) rule to block requests containing directory traversal patterns (../, ..\ , encoded variations) as a temporary mitigation.