what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

uWSGI Directory Traversal

uWSGI Directory Traversal
Posted Mar 2, 2018
Authored by Marios Nicolaides

uWSGI versions prior to 2.0.17 suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2018-7490
SHA-256 | e81a441330bd530dd0585c2f6ab174487c8c91e27174f850328ee26d1e4db873

uWSGI Directory Traversal

Change Mirror Download
# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application


OVERVIEW
--------
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.

The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".

A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").

This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.


DETAILS
-------
The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).

; jail our php environment to project_dir
php-docroot = %(project_dir)

During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.

uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/

An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:

http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:

[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path

However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.

After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).

Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.

uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/

After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.


IMPACT
------
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.


MITIGATION
----------
It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html


REFERENCES
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)


TIMELINE
--------
26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close