Skip to content

Potential Path Manipulation in file mslib/index.py

Critical
ReimarBauer published GHSA-pf2h-qjcr-qvq2 Feb 15, 2024

Package

mss (conda-forge)

Affected versions

>=5.0.0 <8.3.3

Patched versions

8.3.3

Description

In file: index.py, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources.

index.py

--- mslib/index.py

+++ mslib/index.py

@@ -180,6 +180,15 @@

     @APP.route("/mss/code/<path:filename>")

     def code(filename):

         download = request.args.get("download", False)

+        '''

+        ***************** OpenRefactory Warning *****************

+        Possible Path manipulation attack!

+        Path:

+        		Tainted information is passed while initializing objects during dependency injection to the formal parameter filename of the method.

+        	File: index.py, Line: 183

+        		_file = os.path.join(STATIC_LOCATION, 'code', filename)

+        		Tainted information is used in a sink.

+        '''

         _file = os.path.join(STATIC_LOCATION, 'code', filename)

         content = get_content(_file)

         if not download:

Here filename is joined with other variables to form a file path _file. But filename is a route parameter that can capture path type values i.e. values including slashes (\). So it is possible for an attacker to manipulate the file being read by assigning a value containing ../ to filename.

PoC

For the sake of demonstrating that such a case can potentially be exploited, I created a simple flask app containing a similar method which sends back contents of the file in HTML format.

STATIC_LOCATION = '/home/user/Documents/'

... 

@app.route("/test/code/<path:filename>")
def code(filename):
    download = request.args.get("download", False)
    _file = os.path.join(STATIC_LOCATION, 'code', filename)
    content = get_content(_file)
    if not download:
        return Response(content,mimetype="text/html")
    
    ...

Consider an attacker requests the following URL:

http://127.0.0.1:5000/test/code/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

The string of hex digits in place of filename parameter is an URL encoded version of ../../../../etc/passwd. This causes the file path _file to be /home/user/Documents/code/../../../../etc/passwd which in turn causes /etc/passwd to be read and its contents sent back.

CLA Requirements:

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.

The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.

Severity

Critical

CVE ID

CVE-2024-25123

Weaknesses

No CWEs

Credits