Summary
Hi Roxy-WI Dev Team!
An Absolute Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. The vulnerability lies in an insufficient patch to CVE-2023-25802.
Successful exploitation of this vulnerability could allow an authenticated attacker to obtain the content of arbitrary files within the file server.
Details
The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.
PoC
- Send an authenticated HTTP request to /app/options.py as shown below. The PoC retrieves the /etc/passwd, but any files allowed to be read by the user running the HTTPd service can be accessed.
![image](https://user-images.githubusercontent.com/2038097/229664734-e98b0911-c7e1-4fa8-9414-214d88ba5d63.png)
Impact
The vulnerability impacts the confidentiality of the server, allowing attacker to access arbitrary files within the filesystem.
Summary
Hi Roxy-WI Dev Team!
An Absolute Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. The vulnerability lies in an insufficient patch to CVE-2023-25802.
Successful exploitation of this vulnerability could allow an authenticated attacker to obtain the content of arbitrary files within the file server.
Details
The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.
PoC
Impact
The vulnerability impacts the confidentiality of the server, allowing attacker to access arbitrary files within the filesystem.