Impact
The shared files upload API, used for technique resources and common shared-files (respectively on /secure/api/resourceExplorer/* and /secure/api/sharedfile/*), is vulnerable to a directory traversal allowing replacing the content of any file on the system, including system files (as the application runs as root).
An example of request exploiting it:
curl -k 'https://rudder.example.com/rudder/secure/api/resourceExplorer/test/1.0/ncf_techniques'
-X POST -H 'Accept: application/json, text/plain, */*' -H 'X-Requested-With: XMLHttpRequest'
-H 'Cookie: JSESSIONID=...'
-F "file=@passwd" -F "destination=/../../../../../../../../etc/" Additionally, the API back-end also follows symbolic links, allowing to gain read and write access to any file on the system from a user account with access to the technique editor from a malicious resource in a technique. Note that this is unlikely to permit privilege escalation, as modifying resources requires write access to the technique, which allows applying arbitrary configuration on the systems.
Patches
- #4959: Fixes path and symbolic link traversal
Workarounds
None.
References
Impact
The shared files upload API, used for technique resources and common shared-files (respectively on
/secure/api/resourceExplorer/*and/secure/api/sharedfile/*), is vulnerable to a directory traversal allowing replacing the content of any file on the system, including system files (as the application runs as root).An example of request exploiting it:
Additionally, the API back-end also follows symbolic links, allowing to gain read and write access to any file on the system from a user account with access to the technique editor from a malicious resource in a technique. Note that this is unlikely to permit privilege escalation, as modifying resources requires write access to the technique, which allows applying arbitrary configuration on the systems.
Patches
Workarounds
None.
References