Summary
Hi Roxy-WI Dev Team!
An Absolute Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. The vulnerability lies in an insufficient patch to CVE-2023-25802.
Successful exploitation of this vulnerability could allow an authenticated attacker to obtain the content of arbitrary files within the file server.
Details
The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.
PoC
- Send an authenticated HTTP request to /app/options.py as shown below. The PoC retrieves the /etc/passwd, but any files allowed to be read by the user running the HTTPd service can be accessed.
Impact
The vulnerability impacts the confidentiality of the server, allowing attacker to access arbitrary files within the filesystem.
cchavezr Reporter
Summary
Hi Roxy-WI Dev Team!
An Absolute Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. The vulnerability lies in an insufficient patch to CVE-2023-25802.
Successful exploitation of this vulnerability could allow an authenticated attacker to obtain the content of arbitrary files within the file server.
Details
The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.
PoC
Impact
The vulnerability impacts the confidentiality of the server, allowing attacker to access arbitrary files within the filesystem.