Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, some files can also be moved or deleted.
The GetImageServlet API endpoint accepts a user-controlled
image_path that is used to build the path to a stored image.
The content that is stored at the path
image_path is then returned to the user, but
image_path is not sanitized which allows directory traversal and arbitrary file reads.
String image_path = post.get("image",""); // <- user-controlled imageFile = new File(DAO.data_dir + File.separator + "image_uploads" + File.separator + image_path); ByteArrayOutputStream data = new ByteArrayOutputStream(); InputStream is = new BufferedInputStream(new FileInputStream(imageFile)); // `is` is written to `data` ServletOutputStream sos = response.getOutputStream(); sos.write(data.toByteArray()); // <- write content back to user
There are further similar vulnerabilities that all have been fixed by ensuring that directory traversal is not possible anymore.
For further information please visit my research article that shows how to escalate an arbitrary file write to remote code execution (RCE).
Remote code execution as shown in my research article.
- 2020-03-06: Asked to open a Github security advisory.
- 2020-03-10: Invited to Github security advisory.
- 2020-05-13: Issue is patched.
- 2020-06-08: CVE is assigned.
- 2020-10-15: Advisory is published.
This issue was discovered and reported by @intrigus-lgtm.
You can contact the ISL at
firstname.lastname@example.org. Please include a reference to
ISL-2020-001 in any communication regarding this issue.