Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PltHttpServer.cpp have “PathTraversal” Vulnerability #22

Closed
pokerfacett opened this issue Jul 22, 2019 · 8 comments
Closed

PltHttpServer.cpp have “PathTraversal” Vulnerability #22

pokerfacett opened this issue Jul 22, 2019 · 8 comments

Comments

@pokerfacett
Copy link

I audit the code and found a problem,the problem code is in:Platinum/blob/master/Source/Core/PltHttpServer.cpp,line 193
if ((file_path.Find("/..") >= 0) || (file_path.Find("\\..") >= 0) || NPT_FAILED(NPT_File::GetInfo(file_path, &file_info))) { return NPT_ERROR_NO_SUCH_ITEM; }
the function to prevent pathtraversal is not enough:(file_path.Find("/..") >= 0)
in the PltFileMediaServer.cpp line 364 the function ExtractResourcePath:
NPT_Ordinal skip = 0; if (uri_path.StartsWith(m_UrlRoot)) { skip = m_UrlRoot.GetLength(); } else if (uri_path.StartsWith(url_root_encode)) { skip = url_root_encode.GetLength(); } else { return NPT_FAILURE; } /* account for extra slash */ skip += ((m_UrlRoot=="/")?0:1); file_path = uri_path.SubString(skip);

we know if victim's root directory is:
/home/sanpangzi/mediaserver/
if an attacker post a GET request as:
http://localhost:40009/home/sanpangzi/mediaserver/../test.mp3
the variable "file_path" is "../test.mp3"
and the filter function Find("/..") could not match "../" so cause PathTraversal Vulnerability

we suggest the code as fallows:

if ((file_path.Find("../") >= 0) || (file_path.Find("..\") >= 0) `

@c0diq
Copy link
Member

c0diq commented Jul 23, 2019

The file path is extracted in the PLT_FileMediaServerDelegate::ExtractResourcePath function and will contain the entire path. So in your case, when sending a GET request to http://localhost:40009/home/sanpangzi/mediaserver/../test.mp3, the file_path would be /home/sanpangzi/mediaserver/../test.mp3 and thus the /.. detected.

@c0diq
Copy link
Member

c0diq commented Jul 23, 2019

Ok I was able to reproduce but not with your example and rather http://localhost:40009/../test.mp3. However I am not understanding your suggestion for the fix.
Did you mean if ((file_path.Find("../") >= 0) || (file_path.Find("..\\") >= 0) ?

@pokerfacett
Copy link
Author

pokerfacett commented Jul 23, 2019

The file path is extracted in the PLT_FileMediaServerDelegate::ExtractResourcePath function and will contain the entire path. So in your case, when sending a GET request to http://localhost:40009/home/sanpangzi/mediaserver/../test.mp3, the file_path would be /home/sanpangzi/mediaserver/../test.mp3 and thus the /.. detected.

Thank you for reply. I understand the m_UrlRoot is victim's config root directory. and skip is the longth of root directory. For example my root dir is "/home/sanpangzi/mediaserver/",the full url is :http://localhost:40009/home/sanpangzi/mediaserver/../test.mp3 ,after file_path = uri_path.SubString(skip); the root dir is cut ,so I the file_path is "../test.mp3"

@pokerfacett
Copy link
Author

Ok I was able to reproduce but not with your example and rather http://localhost:40009/../test.mp3. However I am not understanding your suggestion for the fix.
Did you mean if ((file_path.Find("../") >= 0) || (file_path.Find("..\\") >= 0) ?

I suggest if ((file_path.Find("../") >= 0) || (file_path.Find("..\") >= 0)

@c0diq
Copy link
Member

c0diq commented Jul 23, 2019

The root dir is not exposed in the url.
The backslash needs to be escaped for this to work, thus the \\.

@pokerfacett
Copy link
Author

The root dir is not exposed in the url.
The backslash needs to be escaped for this to work, thus the \\.

what is the viable

The root dir is not exposed in the url.
The backslash needs to be escaped for this to work, thus the \\.

yes if ((file_path.Find("../") >= 0) || (file_path.Find("..\\") >= 0) this is right

@pokerfacett
Copy link
Author

The root dir is not exposed in the url.
The backslash needs to be escaped for this to work, thus the \\.

this case :http://localhost:40009/../test.mp3 could escape the filter patternfile_path.Find("../") >= 0)

@c0diq c0diq pinned this issue Jul 23, 2019
@c0diq c0diq unpinned this issue Jul 23, 2019
@c0diq c0diq closed this as completed Jul 23, 2019
@pokerfacett
Copy link
Author

Use CVE-2020-19858

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants