search

mpromonet / v4l2rtspserver

RTSP Server for V4L2 device capture supporting HEVC/H264/JPEG/VP8/VP9
The Unlicense
1.83k stars 423 forks source link

URL Traversal Issue w/Live555 Proxy #187

Closed CharlesCage closed 4 years ago

CharlesCage commented 4 years ago

Not entirely sure is this is just my own configuration stupidty or an issue, but I discovered that on the Pi where I have this deployed I can access etc/passwd by traversing via the streaming URL. Specifically:

http://[camera IP]:8554/../../../../../../etc/passwd

A GET request returns the file.

Appreciate any help you could offer I've looked for a place where I can configure the LIVE555 proxy to prevent this, but can't find one. Is it something I can configure?

Thanks for all your hard work, btw!

mpromonet commented 4 years ago

Hi CharlesCage,

The embeded HTTP server avoid navigation with .. see HTTPServer.cpp. 

    std::string pattern("../");
    while ((pos = url.find(pattern, pos)) != std::string::npos) {
        url.erase(pos, pattern.length());
    }

Do you access to /etc/passwd using v4l2rtspserver or another software ?

Best Regards, Michel.

CharlesCage commented 4 years ago

I'm accessing via v4l2rtpserver.

mpromonet commented 4 years ago

Dear CharlesCage,

I guess you are using a webroot that allow you to access to /etc, If you start v4l2rtspserver with -b/ or -b/etc obviously you can access to /etc/passwd. By default the webroot is the working directory, so if you start v4l2rtspserver from / you expose the whole filesystem.

Best Regards, Michel.

CharlesCage commented 4 years ago

I'm starting v4l2rtspserver with the following:

/usr/local/bin/v4l2rtspserver -F 30 -W 1280 -H 720

Also confirmed that I'm not running the service in which this starts as root.

Is there any other config file or location where I might be specifying something different?

Thank you so much for your assitance, btw!

mpromonet commented 4 years ago

Hi @CharlesCage,

Then this depends what is the current directory when you run the command /usr/local/bin/v4l2rtspserver -F 30 -W 1280 -H 720 Adding -b/tmp should fix your problem, or maybe better using a unexisting path ?

Best Regards, Michel.

CharlesCage commented 4 years ago

Thank you! This solved my issue. Appreciate your patience, and of course all your work on this project. :)

mpromonet commented 4 years ago

You are welcome.

Maybe I will change this, the http server is a kind of hack of RTSP server in order to serve the HLS/MPEG# segments, maybe it will be a good thing to use civetweb as http server instead of this.