Project

General

Profile

Bug #2898

security: path traversal in mod_alias (in some use cases)

Added by gstrauss 3 months ago. Updated 3 months ago.

Status:
Fixed
Priority:
High
Assignee:
-
Category:
mod_alias
Target version:
Start date:
2018-08-12
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

security: path traversal in mod_alias (in some use cases)

credit: Orange Tsai(@orange_8361) from DEVCORE

server.modules += ( "mod_alias" )
alias.url += ( "/tmp" => "/tmp/" )

Please note, there is no trailing slash in the first one, and with trailing slash in the second one
(I copied this syntax from your documentation wiki)
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAlias

Because lighttpd use "find" and "replace" to handle alias.

If we access "http://127.0.0.1/tmp/test", the real file "/tmp//test" will
be accessed, but if we access "http://127.0.0.1/tmp../etc/passwd", we can
access "/tmp/../etc/passwd"

The bug can be exploited to access exactly one directory level above the alias target (and then anything below that point to which the webserver has access)

A fix has been committed in 2105dae0

History

#1

Updated by gstrauss 3 months ago

  • Priority changed from Normal to High

Also available in: Atom