Relative Path Traversal in flarum/framework
Jun 11th 2021
Avatar URL from OAuth registration is passed to Intervention Image's
ImageManager::make function without any validation on URL. Since
ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like
storage/somefile.jpg or even absolute paths like
🕵️♂️ Proof of Concept
- Create a fake OAuth Provider.
- Return some relative URL
avatar_urlin User details API call.
- It will be passed as input to
(new ImageManager)->make($url);which will process the relative path without any validation.
The data comes from third party integrations ie. extensions that call external OAuth APIs. In some conditions where trusted OAuth provider allows custom URLs as avatar URLs to its users, this bug can be exploited to read local files on the server running flarum as well as server side request forgery.