RAMADDA file exploit

[Jeff McWhirter]

Hi RAMADDA folks,

I recently received a note from a white hat security researcher that I have been in contact with in the past and he notified me of an exploit that is currently in  RAMADDA that allows for access to any file on the server file system. 

There is an entry point in RAMADDA - 

/gettmpfile?file=<some file path>

that delivers any file on the server.  I don't recall at all when this was implemented but it has been in place since at least 2018 according to the Github logs. Needless to say I am mortified that this ever got into RAMADDA. 

I have fixed the problem and made a new release of RAMADDA and you should update your server. From looking at the logs on ramadda.org I do not believe that this is a known exploit. However, you should check your access log files under <ramadda home>/logs. Past log files are gzipped, e.g. 

access-2025-04-10-04-47-57-1.log.gz

You should be able to do a zgrep which can search  in .gz files, e.g.:

 zgrep gettmpfile access*

Out of an abundance of caution,  if you have any API keys (e.g., ChatGPT), or user logins configured in a repository.properties or elsewhere on your server it would be a good idea to invalidate the API keys and/or update the login information.

I really am sorry about this. I always try to do my best but sometimes things slip through the cracks. 

-Jeff