In file: index.py
, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources.
index.py
--- mslib/index.py
+++ mslib/index.py
@@ -180,6 +180,15 @@
@APP.route("/mss/code/<path:filename>")
def code(filename):
download = request.args.get("download", False)
+ '''
+ ***************** OpenRefactory Warning *****************
+ Possible Path manipulation attack!
+ Path:
+ Tainted information is passed while initializing objects during dependency injection to the formal parameter filename of the method.
+ File: index.py, Line: 183
+ _file = os.path.join(STATIC_LOCATION, 'code', filename)
+ Tainted information is used in a sink.
+ '''
_file = os.path.join(STATIC_LOCATION, 'code', filename)
content = get_content(_file)
if not download:
Here filename
is joined with other variables to form a file path _file
. But filename
is a route parameter that can capture path
type values i.e. values including slashes (\
). So it is possible for an attacker to manipulate the file being read by assigning a value containing ../
to filename
.
PoC
For the sake of demonstrating that such a case can potentially be exploited, I created a simple flask app containing a similar method which sends back contents of the file in HTML format.
STATIC_LOCATION = '/home/user/Documents/'
...
@app.route("/test/code/<path:filename>")
def code(filename):
download = request.args.get("download", False)
_file = os.path.join(STATIC_LOCATION, 'code', filename)
content = get_content(_file)
if not download:
return Response(content,mimetype="text/html")
...
Consider an attacker requests the following URL:
http://127.0.0.1:5000/test/code/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
The string of hex digits in place of filename
parameter is an URL encoded version of ../../../../etc/passwd
. This causes the file path _file
to be /home/user/Documents/code/../../../../etc/passwd
which in turn causes /etc/passwd
to be read and its contents sent back.
CLA Requirements:
This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.
All contributed commits are already automatically signed off.
The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
In file:
index.py
, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources.index.py
Here
filename
is joined with other variables to form a file path_file
. Butfilename
is a route parameter that can capturepath
type values i.e. values including slashes (\
). So it is possible for an attacker to manipulate the file being read by assigning a value containing../
tofilename
.PoC
For the sake of demonstrating that such a case can potentially be exploited, I created a simple flask app containing a similar method which sends back contents of the file in HTML format.
Consider an attacker requests the following URL:
The string of hex digits in place of
filename
parameter is an URL encoded version of../../../../etc/passwd
. This causes the file path_file
to be/home/user/Documents/code/../../../../etc/passwd
which in turn causes/etc/passwd
to be read and its contents sent back.CLA Requirements:
This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.
All contributed commits are already automatically signed off.
The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.