New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PltHttpServer.cpp have “PathTraversal” Vulnerability #22
Comments
|
The file path is extracted in the |
|
Ok I was able to reproduce but not with your example and rather |
Thank you for reply. I understand the m_UrlRoot is victim's config root directory. and |
I suggest if ((file_path.Find("../") >= 0) || (file_path.Find("..\") >= 0) |
|
The root dir is not exposed in the url. |
what is the viable
yes |
this case : |
|
Use CVE-2020-19858 |
I audit the code and found a problem,the problem code is in:Platinum/blob/master/Source/Core/PltHttpServer.cpp,line 193
if ((file_path.Find("/..") >= 0) || (file_path.Find("\\..") >= 0) || NPT_FAILED(NPT_File::GetInfo(file_path, &file_info))) { return NPT_ERROR_NO_SUCH_ITEM; }the function to prevent pathtraversal is not enough:(file_path.Find("/..") >= 0)
in the PltFileMediaServer.cpp line 364 the function ExtractResourcePath:
NPT_Ordinal skip = 0; if (uri_path.StartsWith(m_UrlRoot)) { skip = m_UrlRoot.GetLength(); } else if (uri_path.StartsWith(url_root_encode)) { skip = url_root_encode.GetLength(); } else { return NPT_FAILURE; } /* account for extra slash */ skip += ((m_UrlRoot=="/")?0:1); file_path = uri_path.SubString(skip);we know if victim's root directory is:
/home/sanpangzi/mediaserver/
if an attacker post a GET request as:
http://localhost:40009/home/sanpangzi/mediaserver/../test.mp3
the variable "file_path" is "../test.mp3"
and the filter function
Find("/..")could not match "../" so cause PathTraversal Vulnerabilitywe suggest the code as fallows:
if((file_path.Find("../") >= 0) || (file_path.Find("..\") >= 0) `The text was updated successfully, but these errors were encountered: