Ticket #2859 (closed defect: invalid)

Opened 3 years ago

Last modified 3 years ago

twisted web FilePath uri-encoding bypass (directory traversal)

Reported by: jhart Owned by: jknight
Priority: high Milestone:
Component: web Keywords: uri encode directory traversal
Cc: jhart@…, exarkun Branch:
Author: Launchpad Bug:

Description

I discovered this while casually looking at an application written in TwistedWeb/2.1.0, but have also verified that this likely also exists in version 2.5.0, so chances are that all versions are vulnerable.

The issue is simple. FilePath does not properly check for uri encoded path separators ('/', aka %2F) and, as a result, its checks for directory traversals and the like are not caught and handled by InsecurePath.

The test is simple. Find any simple HTTP server written twistedweb and try getting /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Change History

Changed 3 years ago by jhart

  • cc jhart@… added

Changed 3 years ago by exarkun

  • cc exarkun added

Can you be a bit more specific about the vulnerability?

twistedmatrix.com runs a Twisted Web based server, for example. If you try this URL:

 http://twistedmatrix.com/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Then you do not see the twistedmatrix.com passwd file.

Changed 3 years ago by jhart

Am I misunderstanding this, or does twistedmatrix.com run web2?

Server: Twisted/2.4.0 TwistedWeb/[twisted.web2, version 0.2.0]

The code I was testing against was TwistedWeb/2.1.0. I've only been able to find two other projects utilizing twisted web -- apt-proxy2 (which has checks that happen to prevent this) and bannerfish (which I cannot get to run). Do you have any other simple HTTP services that use twisted web that are not web2?

-jon

Changed 3 years ago by exarkun

exarkun@charm:~$ telnet twistedmatrix.com 80
Trying 66.35.39.65...
Connected to twistedmatrix.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: twistedmatrix.com

HTTP/1.1 302 Found
Date: Wed, 31 Oct 2007 16:42:57 GMT
Content-length: 238
Content-type: text/html
Location: http://twistedmatrix.com/trac/
Server: TwistedWeb/2.5.0


<html>
    <head>
        <meta http-equiv="refresh" content="0;URL=http://twistedmatrix.com/trac/">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
    <a href="http://twistedmatrix.com/trac/">click here</a>
    </body>
</html>

/trac is reverse-proxied to a twisted.web2 server, the rest is twisted.web-based.

Changed 3 years ago by jhart

I may have misdiagnosed this.

The vendor has fixed this in their version of the code -- see  http://www.splunk.com/doc/3.1.1/releasenotes/KnownIssues

If someone knows of an HTTP application that uses a similarly old version of Twistedweb and can test this, go for it, otherwise we can probably go ahead and close this.

-jon

Changed 3 years ago by exarkun

  • status changed from new to closed
  • resolution set to invalid

Thanks for following up. Since there isn't a demonstrated vulnerability and there is test coverage for correct handling of the case in question, I'm going to close this. If you learn anything else, feel free to re-open it with more information.

Note: See TracTickets for help on using tickets.