harp - Unauthorised File Access - Fix:

[JamieSlome]

https://github.com/mufeedvh fixed the vulnerability associated with Unauthorised File Access. This fix is being submitted on behalf of https://github.com/mufeedvh - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program.

Think you could fix a vulnerability like this - get involved (https://huntr.dev).

Q | A Version Affected | ALL Bug Fix | YES Further References | https://github.com/418sec/harp/pull/3

[sintaxi]

Thanks for the PR. I could use a bit more information. How is the file access unauthorized if there is a symlink in the project directory pointing to it? Why wouldn't we expect this file to be served?

[JamieSlome]

@sintaxi - thank you for your response!

The point is that if a symlink was accidentally created, which linked to a sensitive file, this would expose the contents and result in accidental disclosure. If it was intentional disclosure, the user might just put the file directly in the web server's directory, rather than symlink'ing to it?

When a symlink in the project's base directory points to a file outside of the directory, the attacker can access sensitive files on the server, e.g. /etc/passwd...

[toufik-airane]

Dear @sintaxi, 👋

What exactly is a symlink vulnerability?

Symlink bugs are vulnerabilities that may allow a malicious user to overwrite or read arbitrary files with the permissions of the invoking vulnerable application or script. 👋

To exploit a Symlink bug, you may serve a malicious archive containing a symlink to force the application to compute the symlink as a shortcut to an arbitrary file on the file system.

[JamieSlome]

@sintaxi - any thoughts on the information provided above?

[Adar-Checkmarx]

Hi @sintaxi, I came across this discussion as part of a security research concerning this vulnerability, do you have any plans to merge this fix in harp? Please let me know. Thank you