Ticket #2859 (closed defect: invalid )

Opened 2 years ago

Last modified 2 years ago

twisted web FilePath uri-encoding bypass (directory traversal)

Reported by: jhart Assigned to: jknight
Type: defect Priority: high
Milestone: Component: web
Keywords: uri encode directory traversal Cc: jhart@spoofed.org, exarkun
Branch: Author:
Launchpad Bug:

Description

I discovered this while casually looking at an application written in TwistedWeb/2.1.0, but have also verified that this likely also exists in version 2.5.0, so chances are that all versions are vulnerable.

The issue is simple. FilePath does not properly check for uri encoded path separators ('/', aka %2F) and, as a result, its checks for directory traversals and the like are not caught and handled by InsecurePath.

The test is simple. Find any simple HTTP server written twistedweb and try getting /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Attachments

Change History

  2007-10-31 06:43:29+00:00 changed by jhart

  • cc set to jhart@spoofed.org

  2007-10-31 11:38:56+00:00 changed by exarkun

  • cc changed from jhart@spoofed.org to jhart@spoofed.org, exarkun

Can you be a bit more specific about the vulnerability?

twistedmatrix.com runs a Twisted Web based server, for example. If you try this URL:

http://twistedmatrix.com/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Then you do not see the twistedmatrix.com passwd file.

  2007-10-31 16:33:07+00:00 changed by jhart

Am I misunderstanding this, or does twistedmatrix.com run web2?

Server: Twisted/2.4.0 TwistedWeb/[twisted.web2, version 0.2.0]

The code I was testing against was TwistedWeb/2.1.0. I've only been able to find two other projects utilizing twisted web -- apt-proxy2 (which has checks that happen to prevent this) and bannerfish (which I cannot get to run). Do you have any other simple HTTP services that use twisted web that are not web2?

-jon

  2007-10-31 16:43:36+00:00 changed by exarkun 

exarkun@charm:~$ telnet twistedmatrix.com 80
Trying 66.35.39.65...
Connected to twistedmatrix.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: twistedmatrix.com
HTTP/1.1 302 Found
Date: Wed, 31 Oct 2007 16:42:57 GMT
Content-length: 238
Content-type: text/html
Location: http://twistedmatrix.com/trac/
Server: TwistedWeb/2.5.0
<html>
    <head>
        <meta http-equiv="refresh" content="0;URL=http://twistedmatrix.com/trac/">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
    <a href="http://twistedmatrix.com/trac/">click here</a>
    </body>
</html>

/trac is reverse-proxied to a twisted.web2 server, the rest is twisted.web-based.

  2007-11-01 01:16:07+00:00 changed by jhart

I may have misdiagnosed this.

The vendor has fixed this in their version of the code -- see http://www.splunk.com/doc/3.1.1/releasenotes/KnownIssues

If someone knows of an HTTP application that uses a similarly old version of Twistedweb and can test this, go for it, otherwise we can probably go ahead and close this.

-jon

  2007-11-01 03:07:43+00:00 changed by exarkun

  • status changed from new to closed
  • resolution set to invalid

Thanks for following up. Since there isn't a demonstrated vulnerability and there is test coverage for correct handling of the case in question, I'm going to close this. If you learn anything else, feel free to re-open it with more information.

Note: See TracTickets for help on using tickets.