Summary
Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, some files can also be moved or deleted.
Product
Tested Version
Commit d27ed0f5
Details
The GetImageServlet API endpoint accepts a user-controlled image_path that is used to build the path to a stored image.
The content that is stored at the path image_path is then returned to the user, but image_path is not sanitized which allows directory traversal and arbitrary file reads.
String image_path = post.get("image",""); // <- user-controlled
imageFile = new File(DAO.data_dir + File.separator + "image_uploads" + File.separator + image_path);
ByteArrayOutputStream data = new ByteArrayOutputStream();
InputStream is = new BufferedInputStream(new FileInputStream(imageFile));
// `is` is written to `data`
ServletOutputStream sos = response.getOutputStream();
sos.write(data.toByteArray()); // <- write content back to user
There are further similar vulnerabilities that all have been fixed by ensuring that directory traversal is not possible anymore.
For further information please visit my research article that shows how to escalate an arbitrary file write to remote code execution (RCE).
Impact
Remote code execution as shown in my research article.
CVE
Github Advisories
Coordinated Disclosure Timeline
- 2020-03-06: Asked to open a Github security advisory.
- 2020-03-10: Invited to Github security advisory.
- 2020-05-13: Issue is patched.
- 2020-06-08: CVE is assigned.
- 2020-10-15: Advisory is published.
Credit
This issue was discovered and reported by @intrigus-lgtm.
Contact
You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2020-001 in any communication regarding this issue.