Path Traversal in dmpop/mejiro

Valid

Reported on

Sep 14th 2021


Description

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

https://github.com/dmpop/mejiro is vulnerable to path traversal as shown below:

Proof of Concept

Variable: $photo_dir
Snip:

if (!file_exists($photo_dir) || !file_exists($photo_dir . 'tims')) {
    mkdir($photo_dir, 0777, true);

Do the following request in a browser:

http://localhost/mejiro-main/index.php?page=2test&d=../../pathtrav

The requests created a new directory one level above mejiro project, thus confirming the path traversal.

Impact

In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

We have contacted a member of the dmpop/mejiro team and are waiting to hear back 20 days ago
Dmitri Popov validated this vulnerability 14 days ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dmitri Popov confirmed that a fix has been merged on 23429b 14 days ago
Dmitri Popov has been awarded the fix bounty
index.php#L98-L101 has been validated