CVE-2018-7490 uWSGI PHP Plugin目录遍历
?
?
#攻擊標題:uWSGI PHP Plugin目錄遍歷
#日期:2018年3月1日
#開發作者:Marios Nicolaides-RUNESEC
#評審人:西蒙·洛伊齊德斯和尼古拉斯·馬基塔尼斯-魯內塞克
#供應商主頁:https://uwsgi-docs.readthedocs.io
#受影響的軟件:2.0.17之前的uWSGI PHP Plugin
#測試依據:uWSGI 2.0.12和2.0.15
#公司代碼:CVE-2018-7490
#類別:Web應用程序
概述
--------
在沒有指定“PHP allowed docroot”選項的情況下,2.0.17之前的uWSGI PHP插件容易被目錄遍歷。
該漏洞是由于請求通過“php docroot”指定的DOCUMENT_ROOT目錄下的資源時對文件路徑的驗證不正確造成的。
遠程攻擊者可以利用此漏洞,使用路徑遍歷序列(“..%2f”)從易受攻擊的系統中讀取任意文件。
這在uWSGI 2.0.12和2.0.15上進行了測試。2.0.17之前的所有版本都會受到影響。
細節
-------
uWSGI的文檔指出,phpdocroot選項用于將我們的php環境囚禁在一個項目目錄中(http://uwsgi docs.readthedocs.io/en/latest/PHP.html\run-php-apps-without-a-frontend-server)。
;將我們的php環境囚禁在project_dir中
php docroot=%(項目目錄)
在測試過程中,觀察到uWSGI在作為獨立(沒有前端web服務器)執行時受到目錄遍歷漏洞的影響,同時使用“php docroot”選項來強制web應用程序的DOCUMENT_ROOT。
uwsgi--http套接字:1337--protocol=http--plugin php--php索引索引.php--php docroot/home/testing/webapp/
攻擊者可以通過使用路徑遍歷序列(“…%2f”)訪問敏感信息來攻擊此漏洞,如下所示:
http://example.runesec.com%2f….%2f….%2f….%2f/
我們注意到,當執行目錄遍歷攻擊時,uWSGI發出以下安全錯誤:
[uwsgi fileserve]安全錯誤:/etc/passwd不在/home/testing/webapp下或安全路徑下
但是,請求文件的內容(即/etc/passwd)仍然返回給用戶。
在搜索了web上可能的解決方案之后,我們注意到“php-allowed-docroot”選項以前被添加到uWSGI中,以獲得更好的安全性,并且可以用來列出允許的文檔根,但是沒有進一步的細節(http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).
在進一步的測試中,我們發現當使用“php allowed docroot”而不是“php docroot”選項時,它不受目錄遍歷攻擊的影響。
uwsgi--http套接字:1337--protocol=http--plugin php--php索引索引.php--允許的根目錄/php/webapp測試/
在與uWSGI項目進行了一次非常有建設性和有幫助的談話之后,他們發布了一個更新,在使用“php docroot”選項來防止目錄遍歷攻擊時,強制執行文檔根檢查。請參閱緩解部分了解更多信息。
影響
------
攻擊者可以利用此漏洞獲取對位于web根目錄之外的敏感文件的未經授權的讀取權限。
緩解
----------
建議更新至uWSGI 2.0.17-https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
參考文獻
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?名稱=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
時間軸
--------
2017年6月26日-uWSGI項目告知了該問題
2018年2月26日-uWSGI項目發布了一個補丁
2018年3月1日-公開披露
?
phpinfo? ?
Server API?
uWSGI
可能會存在。此漏洞
?
https://www.exploit-db.com/exploits/44223
?
?
# Exploit Title: uWSGI PHP Plugin Directory Traversal # Date: 01-03-2018 # Exploit Author: Marios Nicolaides - RUNESEC # Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC # Vendor Homepage: https://uwsgi-docs.readthedocs.io # Affected Software: uWSGI PHP Plugin before 2.0.17 # Tested on: uWSGI 2.0.12 and 2.0.15 # CVE: CVE-2018-7490 # Category: Web ApplicationOVERVIEW -------- The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.DETAILS ------- The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).; jail our php environment to project_dirphp-docroot = %(project_dir)During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwdWe noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe pathHowever, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.IMPACT ------ An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.MITIGATION ---------- It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.htmlREFERENCES ---------- https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/ https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490 https://nvd.nist.gov/vuln/detail/CVE-2018-7490 https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)TIMELINE -------- 26 June 2017 - uWSGI Project informed about the issue 26 February 2018 - uWSGI Project released a patch 1 March 2018 - Exploit publicly disclosed總結
以上是生活随笔為你收集整理的CVE-2018-7490 uWSGI PHP Plugin目录遍历的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 什么是python语言的解释性?
- 下一篇: 根据地址获取经纬度 -- 腾讯地图(PH