search

william-os4y / fapws3

Fast Asynchronous Python Web Server (based on libev)
GNU General Public License v2.0
341 stars 38 forks source link

Static file server exposes directory traversal vulnerability #38

Closed jakewins closed 7 years ago

jakewins commented 12 years ago

The current default file server implementation lets remote users access the full file system the server is running on using a basic directory traversal attack.

Assuming a file structure like:

myserver.py
static/
    hello.txt

And a static file server view like:

staticfile = views.Staticfile('static', maxage=2629000)
evwsgi.wsgi_cb(('/static', staticfile))

Attackers can access the python file, and any other file accessible to the user running the fapws server:

GET /static/..%2fmyserver.py
GET /static/..%2f..%2f..%2f..%2f..%2f/etc/passwd

I realize it is meant as an example, but people will very likely end up using this in production, because users are the way they are :) Really enjoying using FAPWS3, btw!

ourway commented 8 years ago

holy .... hasn't it resolved since 2012??

william-os4y commented 7 years ago

All my fapws servers run in chroot. This is why I do not focus on such problems. Nevertheless, I propose the change just proposed.