New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Severe directory traversal vulnerability (dotdotslash) #1768
Comments
@cristiulian thanks for the report, but I am not able to reproduce it. I checked with 'example/simplesvr.cc' and curl. The cpp-httplib server decodes the percent encoded codes to '..', but Lines 2429 to 2431 in 82a90a2
Did you really confirm that the problem happened on your environment? If so, could you provide the smallest possible code example that can reproduce the problem on your machine when confirming the problem? Thanks for your help. |
I've compiled simplesrv.cc and I can confirm it is happening on my environment (WIN 10, VS 2017 and VS 2022). I have used the %2e%2e%5c sequence, although the list of possible sequences is much longer, I can provide it if you want to. For some reason, some of them make it through the is_valid_path ".." check, I suppose they're not converted to "..".
|
@cristiulian I confirmed this issue on my Windows machine and fixed it. Thanks for your report! |
Hello. Can you confirm this affects Windows only? The release notes didn't specify. I am not able to exploit this on a Linux build. |
Yes, I confirmed that it happened only on Windows. |
It looks like you can easily attack a server written with this library via a directory traversal method.
The %2e%2e%5c character is equivalent to .. so by forging a special url, you can easily request any file on current drive (windows) or anywhere in the system (linux). There are some other equivalent characters too, I've only tested with the one above.
The is_valid_path function only tests against "..", but the list should be way longer.
You can traverse back from a folder (mount point) all the way to any folder and request files such as win.ini or /etc/passwd, expecially when you use the library from a service with elevated access.
This issue is extremely severe in my opinion, is there any way to prevent this behaviour?
The text was updated successfully, but these errors were encountered: