Project

General

Profile

Actions
Copy link

Bug #2898

closed

security: path traversal in mod_alias (in some use cases)

Added by gstrauss over 5 years ago. Updated over 5 years ago.

Status:
Fixed
Priority:
High
Category:
mod_alias
Target version:
1.4.50
ASK QUESTIONS IN Forums:

Description

security: path traversal in mod_alias (in some use cases)

credit: Orange Tsai(@orange_8361) from DEVCORE

server.modules += ( "mod_alias" )
alias.url += ( "/tmp" => "/tmp/" )

Please note, there is no trailing slash in the first one, and with trailing slash in the second one
(I copied this syntax from your documentation wiki)
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAlias

Because lighttpd use "find" and "replace" to handle alias.

If we access "http://127.0.0.1/tmp/test", the real file "/tmp//test" will
be accessed, but if we access "http://127.0.0.1/tmp../etc/passwd", we can
access "/tmp/../etc/passwd"

The bug can be exploited to access exactly one directory level above the alias target (and then anything below that point to which the webserver has access)

A fix has been committed in 2105dae0

Actions
Copy link
 #1

Updated by gstrauss over 5 years ago

  • Priority changed from Normal to High
Actions
Copy link

Also available in: Atom