Sunday, 12 May 2019

Path Traversal in WEBrick via SYMLINK

Summary: The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory.

NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem."

Technical Observation: A path traversal issue was observed in WEBrick (WEBrick/1.4.2 (Ruby/2.6.3/)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.

Steps to reproduce:
mkdir nothing
 cd nothing
 ln -s ../../ symlnk
 ruby -run -ehttpd . -p8080
ImpactThis would allow the attacker to view sensitive data outside the root/running directory.

Remediation: In order to solve the problem, we should simply check the absolute/real path of any user input paths and if the absolute path is outside the home directory, then return an error response, This way users will not lose the possible benefits of symbolic links.
Educating users about this behavior in the docs and probably providing a flag to disable/enable the symlinks.

After reporting this to WEBrick team, they will add below statement in WEBrick documentation.

"WEBrick can be run as a production server for small loads. Be aware that symlinks might allow users to view data outside of the designated root directory, such as for the Apache webserver with the FollowSymlinks option enabled".


Apart from WEBrick, I reported the same vulnerability in one of the npm module (simplehttpserver) via H1 but went duplicate. Also, the issue exists in python modules `SimpleHTTPServer` and `http.server` but python security team says these servers should not be used in production and they have already mentioned it in their documentation.

I also found PHP -S module and hhvm protect against this vulnerability by default, a disputed CVE-2019-11879 was assigned to this issue against WEBrick.

0 coment�rios:

Post a Comment