Opened 9 years ago

Closed 9 years ago

#2859 defect closed invalid (invalid)

twisted web FilePath uri-encoding bypass (directory traversal)

Reported by: jhart Owned by:
Priority: high Milestone:
Component: web Keywords: uri encode directory traversal
Cc: jhart@…, Jean-Paul Calderone Branch:
Author:

Description

I discovered this while casually looking at an application written in TwistedWeb/2.1.0, but have also verified that this likely also exists in version 2.5.0, so chances are that all versions are vulnerable.

The issue is simple. FilePath does not properly check for uri encoded path separators ('/', aka %2F) and, as a result, its checks for directory traversals and the like are not caught and handled by InsecurePath.

The test is simple. Find any simple HTTP server written twistedweb and try getting /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Change History (7)

comment:1 Changed 9 years ago by jhart

Cc: jhart@… added

comment:2 Changed 9 years ago by Jean-Paul Calderone

Cc: Jean-Paul Calderone added

Can you be a bit more specific about the vulnerability?

twistedmatrix.com runs a Twisted Web based server, for example. If you try this URL:

http://twistedmatrix.com/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Then you do not see the twistedmatrix.com passwd file.

comment:3 Changed 9 years ago by jhart

Am I misunderstanding this, or does twistedmatrix.com run web2?

Server: Twisted/2.4.0 TwistedWeb/[twisted.web2, version 0.2.0]

The code I was testing against was TwistedWeb/2.1.0. I've only been able to find two other projects utilizing twisted web -- apt-proxy2 (which has checks that happen to prevent this) and bannerfish (which I cannot get to run). Do you have any other simple HTTP services that use twisted web that are not web2?

-jon

comment:4 Changed 9 years ago by Jean-Paul Calderone

exarkun@charm:~$ telnet twistedmatrix.com 80
Trying 66.35.39.65...
Connected to twistedmatrix.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: twistedmatrix.com

HTTP/1.1 302 Found
Date: Wed, 31 Oct 2007 16:42:57 GMT
Content-length: 238
Content-type: text/html
Location: http://twistedmatrix.com/trac/
Server: TwistedWeb/2.5.0


<html>
    <head>
        <meta http-equiv="refresh" content="0;URL=http://twistedmatrix.com/trac/">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
    <a href="http://twistedmatrix.com/trac/">click here</a>
    </body>
</html>

/trac is reverse-proxied to a twisted.web2 server, the rest is twisted.web-based.

comment:5 Changed 9 years ago by jhart

I may have misdiagnosed this.

The vendor has fixed this in their version of the code -- see http://www.splunk.com/doc/3.1.1/releasenotes/KnownIssues

If someone knows of an HTTP application that uses a similarly old version of Twistedweb and can test this, go for it, otherwise we can probably go ahead and close this.

-jon

comment:6 Changed 9 years ago by Jean-Paul Calderone

Resolution: invalid
Status: newclosed

Thanks for following up. Since there isn't a demonstrated vulnerability and there is test coverage for correct handling of the case in question, I'm going to close this. If you learn anything else, feel free to re-open it with more information.

comment:7 Changed 6 years ago by <automation>

Owner: jknight deleted
Note: See TracTickets for help on using tickets.