We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Path Traversal in plankanban/planka

Valid

Reported on

Aug 2nd 2022

Description

Via the /attachments/:id/download/thumbnails/:filename endpoint, an authenticated user can access any arbitrary file in the system through a path traversal vulnerability in the filename parameter.

The filename parameter is not sanitized and its used to craft the path of the target file. Using the encoded value of the slash character %2F allows to traverse to any directory the attacker wants, and read any file.

Proof of Concept

1 - Log in and get a id of a project that has at least one image. If no image is available upload a new one.
2 - Sending the following request allows to read the contents of the /proc/self/environfile.

GET http://localhost:3000/attachments/<project-id>/download/thumbnails/..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron

request

Impact

With this vulnerability an attacker can read many sensitive files like configuration files, or the /proc/self/environ file, that contains the environment variable used by the web server that includes database credentials. If the web server user is root, an attacker will be able to read any file in the system.

Occurrences

download-thumbnail.js L57

We are processing your report and will contact the plankanban/planka team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the plankanban/planka team and are waiting to hear back a year ago

Maksim Eltyshev validated this vulnerability a year ago

vultza has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Maksim Eltyshev marked this as fixed in 1.5.1 with commit ac1df5 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

download-thumbnail.js#L57 has been validated

Maksim Eltyshev gave praise a year ago

Thank you so much for reporting this issue!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

commented a year ago

I want to say that you can request a CVE here from the Huntr team!

commented a year ago

Admin

Sorted :)

commented a year ago

Researcher

Thanks guys, appreciated.

to join this conversation

We are processing your report and will contact the plankanban/planka team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the plankanban/planka team and are waiting to hear back a year ago

Maksim Eltyshev validated this vulnerability a year ago

vultza has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Maksim Eltyshev marked this as fixed in 1.5.1 with commit ac1df5 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

download-thumbnail.js#L57 has been validated

Maksim Eltyshev gave praise a year ago

Thank you so much for reporting this issue!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

commented a year ago

I want to say that you can request a CVE here from the Huntr team!

commented a year ago

Admin

Sorted :)

commented a year ago

Researcher

Thanks guys, appreciated.

to join this conversation