Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The URL input doesn't check the user inputs #41

Closed
SkypLabs opened this issue Sep 25, 2017 · 2 comments
Closed

The URL input doesn't check the user inputs #41

SkypLabs opened this issue Sep 25, 2017 · 2 comments
Assignees
Labels

Comments

@SkypLabs
Copy link

Hi,

When I used your online tool to check the RDFa attributes of my own website, I got the following error:

error IOError: Failed to open blog.skyplabs.net: No such file or directory @ rb_sysopen - blog.skyplabs.net

The problem here is that I didn't precise http://. Consequently, the software tried to find blog.skyplabs.net as a local file. This issue leads to a directory traversal attack, allowing an attacker to disclose information about the remote system.

For example, it is possible to know if a directory exists or not (with ../etc/ssh as input):

error Errno::EISDIR: Is a directory @ io_fread - ../etc/ssh

When used on a file which the format is not recognised by the parser, the error message tends to leak some precious information (with ../etc/os-release as input):

validation ../etc/os-release: Errors found during processing

validation ../etc/os-release: ERROR [line 1] Lexer error: With input 'NAME="Ubuntu" VERSION="14.04.5 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.5': Invalid token "NAME=\"Ubuntu\"": {:production=>:statement, :token=>"NAME=\"Ubuntu\""}:

validation ../etc/os-release: FATAL recovery: statement: ["."]

For example, an attacker could use this vulnerability to reveal the installed and running services on the remote host (with ../etc/mysql/my.cnf as input):

validation ../etc/mysql/my.cnf: Errors found during processing

validation ../etc/mysql/my.cnf: ERROR [line 19] Lexer error: With input 'client] port = 3306 socket = /var/run/mysqld/mysqld.sock # Here is entries for some specific progr': Invalid token "client]": {:production=>:predicateObjectList, :token=>"client]"}:

validation ../etc/mysql/my.cnf: FATAL recovery: predicateObjectList: ";"

validation ../etc/mysql/my.cnf: FATAL recovery: blankNodePropertyList: "]"

validation ../etc/mysql/my.cnf: FATAL recovery: triples: ["."]

validation ../etc/mysql/my.cnf: FATAL recovery: statement: ["."] 

We know now that the MySQL server is installed on the remote server and listens on port 3306. To check if it is currently running or not (with ../var/run/mysqld/mysqld.sock as input):

error IOError: Failed to open ../var/run/mysqld/mysqld.sock: No such file or directory @ rb_sysopen - ../var/run/mysqld/mysqld.sock 

To fix this issue, the user inputs need to be checked to ensure that they are real URL addresses and not local files.

@gkellogg gkellogg self-assigned this Sep 25, 2017
@gkellogg gkellogg added the bug label Sep 25, 2017
@gkellogg
Copy link
Member

Thanks for catching this.

@SkypLabs
Copy link
Author

The CVE assigned for this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2017-1000448.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants