twisted web FilePath uri-encoding bypass (directory traversal)
|Reported by:||jhart||Owned by:|
|Component:||web||Keywords:||uri encode directory traversal|
|Cc:||jhart@…, Jean-Paul Calderone||Branch:|
I discovered this while casually looking at an application written in TwistedWeb/2.1.0, but have also verified that this likely also exists in version 2.5.0, so chances are that all versions are vulnerable.
The issue is simple. FilePath does not properly check for uri encoded path separators ('/', aka %2F) and, as a result, its checks for directory traversals and the like are not caught and handled by InsecurePath.
The test is simple. Find any simple HTTP server written twistedweb and try getting /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd