Relative Path Traversal in flarum/framework
Reported on
Jun 11th 2021
✍️ Description
Avatar URL from OAuth registration is passed to Intervention Image's ImageManager::make function without any validation on URL. Since ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like storage/somefile.jpg or even absolute paths like /home/someimage.jpg.
🕵️♂️ Proof of Concept
- Create a fake OAuth Provider.
- Return some relative URL
avatar_urlin User details API call. - It will be passed as input to
(new ImageManager)->make($url);which will process the relative path without any validation.
💥 Impact
The data comes from third party integrations ie. extensions that call external OAuth APIs. In some conditions where trusted OAuth provider allows custom URLs as avatar URLs to its users, this bug can be exploited to read local files on the server running flarum as well as server side request forgery.
Occurrences
Hey @0xcrypto - we have contacted the maintainer and we are awaiting a response from them.
We talked about this internally (although seemingly I have been the only one to get notified). Our code in Registration signifies only a URL is allowed, we just don't validate against it.
So that's we are going to do, thanks for discovering this one.
Please understand that currently no oauth extensions abuse this logic (as owner of the flarum extension directory extiverse.com I just checked each published oauth extension). No users have been impacted so far.
On another tangent, we think that the severity is overclassified. This vulnerability is not a direct one. Abusing the avatar URL by using the local filesystem instead of providing an avatar URL will cause the ImageManager to error and stop. The only way this system can be used is if the ImageManager does not sanitize its input. Intervention is very reliable, so the chances of this happening are limited.
Thanks for the quick patch!
While fixing, please take the phar meta data deserialization vulnerability in PHP 7.x in consideration. It is possible to pass phar:// url to filesystem functions like file_get_contents (intervention image's ImageManager::make does that internally) and exploit a POP gadget chain from within a phar file. This requires phar file to be uploaded (extensions don't matter here) though.
I am currently analyzing Validator for any bypass to this and will let you know.
Please note that immediately below the Illuminate validator, the patch validates that the URI scheme is http(s), and will otherwise throw an error.
I see that the patch has been merged to the master branch, can we confirm the fix here as well?
I don't think it has been merged yet: https://github.com/flarum/core/compare/master...davwheat:dw/huntr-fix-path-traversal
Oh my bad... I confused it for https://github.com/flarum/core/pull/2906
Can the severity be reduced @admin to 2.6:
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
PR: https://github.com/flarum/core/pull/2923