Summary
Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application.
Product
Tested Version
Commit 5f48476d
Details
The AssetServlet endpoint accepts three user-controlled parameters: screenName, idStr, and file. The three parameters are used to build the path to a stored asset whose content is then returned to the user, but the path is not sanitized which allows directory traversal and arbitrary file reads.
String screenName = post.get("screen_name", ""); // <- user-controlled
String idStr = post.get("id_str", ""); // <- user-controlled
String file = post.get("file", ""); // <- user-controlled
File assetFile = DAO.getAssetFile(screenName, idStr, file);
ByteArrayOutputStream data = new ByteArrayOutputStream();
InputStream is = new BufferedInputStream(new FileInputStream(assetFile));
// `is` is written to `data`
ServletOutputStream sos = response.getOutputStream();
sos.write(data.toByteArray()); // <- write content back to user
AssetServlet also allows arbitrary file write in its doPost method.
Impact
It is likely that Remote code execution is possible by adding malicious authorized_keys entries to the SSH daemon or by adding malicious crontabs, but this has not been tested.
CVE
Github Advisories
Coordinated Disclosure Timeline
- 2020-03-17: Asked to open a Github security advisory.
- 2020-06-04: Invited to Github security advisory.
- 2020-07-02: Issue is patched.
- 2020-07-06: CVE is assigned.
- 2021-02-02: Advisory is published.
Credit
This issue was discovered and reported by @intrigus-lgtm.
Contact
You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2020-002 in any communication regarding this issue.