search

structured-data / linter

Structured Data linter
The Unlicense
88 stars 18 forks source link

The URL input doesn't check the user inputs #41

Closed SkypLabs closed 7 years ago

SkypLabs commented 7 years ago

Hi,

When I used your online tool to check the RDFa attributes of my own website, I got the following error:

error IOError: Failed to open blog.skyplabs.net: No such file or directory @ rb_sysopen - blog.skyplabs.net

The problem here is that I didn't precise http://. Consequently, the software tried to find blog.skyplabs.net as a local file. This issue leads to a directory traversal attack, allowing an attacker to disclose information about the remote system.

For example, it is possible to know if a directory exists or not (with ../etc/ssh as input):

error Errno::EISDIR: Is a directory @ io_fread - ../etc/ssh

When used on a file which the format is not recognised by the parser, the error message tends to leak some precious information (with ../etc/os-release as input):

validation ../etc/os-release: Errors found during processing

validation ../etc/os-release: ERROR [line 1] Lexer error: With input 'NAME="Ubuntu" VERSION="14.04.5 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.5': Invalid token "NAME=\"Ubuntu\"": {:production=>:statement, :token=>"NAME=\"Ubuntu\""}:

validation ../etc/os-release: FATAL recovery: statement: ["."]

For example, an attacker could use this vulnerability to reveal the installed and running services on the remote host (with ../etc/mysql/my.cnf as input):

validation ../etc/mysql/my.cnf: Errors found during processing

validation ../etc/mysql/my.cnf: ERROR [line 19] Lexer error: With input 'client] port = 3306 socket = /var/run/mysqld/mysqld.sock # Here is entries for some specific progr': Invalid token "client]": {:production=>:predicateObjectList, :token=>"client]"}:

validation ../etc/mysql/my.cnf: FATAL recovery: predicateObjectList: ";"

validation ../etc/mysql/my.cnf: FATAL recovery: blankNodePropertyList: "]"

validation ../etc/mysql/my.cnf: FATAL recovery: triples: ["."]

validation ../etc/mysql/my.cnf: FATAL recovery: statement: ["."]

We know now that the MySQL server is installed on the remote server and listens on port 3306. To check if it is currently running or not (with ../var/run/mysqld/mysqld.sock as input):

error IOError: Failed to open ../var/run/mysqld/mysqld.sock: No such file or directory @ rb_sysopen - ../var/run/mysqld/mysqld.sock

To fix this issue, the user inputs need to be checked to ensure that they are real URL addresses and not local files.

gkellogg commented 7 years ago

Thanks for catching this.

SkypLabs commented 6 years ago

The CVE assigned for this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2017-1000448.