Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible path traversal when serving static image files #4226

Closed
nilmerg opened this issue Aug 14, 2020 · 0 comments · Fixed by #4227
Closed

Possible path traversal when serving static image files #4226

nilmerg opened this issue Aug 14, 2020 · 0 comments · Fixed by #4227
Assignees
Labels
area/framework Affects third party integration/development bug Something isn't working queue/important Blocks a release or needs immediate attention
Milestone

Comments

@nilmerg
Copy link
Member

nilmerg commented Aug 14, 2020

The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. (This is usually the web server or fpm process)

To exploit this vulnerability the attacker has to acquire the following knowledge:

  • The URI at which Icinga Web 2 is accessible
  • An installed additional (non-core) module, which can be leveraged (Subject to trial-and-error)
  • The module's install path (Subject to common knowledge and trial-and-error)

A valid user login is NOT required.

The attack is performed by sending a HTTP GET or POST request to a particular route of Icinga Web 2.
The request has to include the module's name and the desired (relative) file path.

Example:

  • Icinga Web 2 is accessible at /icingaweb2
  • The business process module is installed and enabled
  • The module is installed at /usr/share/icingaweb2/modules

Applicable request to access /etc: "GET /icingaweb2/static/img?module_name=businessprocess&file=../../../../../../../etc/os-release"

Since when does it exist?

Since the initial 2.0.0 stable release.

Am I affected?

If you had already been a victim of this vulnerability can only be verified by inspecting the web server's access log.
Manifestations of such a request in the access log can be identified with this command:

grep -Pie '(?<=GET|POST ).+/static/img?(.*file=((\.|%2e)(\.|%2e)(/|%2f)){3,}\S*| )' access.log​

Which modules can be leveraged?

Known and publicly available modules:

We would like to emphasize that a module itself is NOT the cause nor affected. None of the listed modules require a fix in this regard.

@nilmerg nilmerg added bug Something isn't working TBD To be defined - We aren't certain about this yet labels Aug 14, 2020
@nilmerg nilmerg added this to the 2.8.2 milestone Aug 14, 2020
@nilmerg nilmerg self-assigned this Aug 14, 2020
@nilmerg nilmerg added enhancement New feature or improvement and removed bug Something isn't working labels Aug 14, 2020
@nilmerg nilmerg changed the title Placeholder Make the world a better place Aug 14, 2020
nilmerg added a commit that referenced this issue Aug 19, 2020
nilmerg added a commit that referenced this issue Aug 19, 2020
nilmerg added a commit that referenced this issue Aug 19, 2020
@nilmerg nilmerg added area/framework Affects third party integration/development bug Something isn't working queue/important Blocks a release or needs immediate attention and removed TBD To be defined - We aren't certain about this yet enhancement New feature or improvement labels Aug 19, 2020
@nilmerg nilmerg changed the title Make the world a better place Possible path traversal when serving static image files Aug 19, 2020
bob-beck pushed a commit to openbsd/ports that referenced this issue Aug 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/framework Affects third party integration/development bug Something isn't working queue/important Blocks a release or needs immediate attention
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant