Common Weakness Enumeration

CWE-22

Allowed-with-Review

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Abstraction: Base · Status: Stable

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

13064 vulnerabilities reference this CWE, most recent first.

GHSA-9CHM-M6X2-6FVC

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2024-06-28 21:10
VLAI
Summary
lollms vulnerable to path traversal due to unauthenticated root folder settings change
Details

A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lollms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-28T21:10:12Z",
    "nvd_published_at": "2024-06-27T19:15:19Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to \u0027/\u0027. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.",
  "id": "GHSA-9chm-m6x2-6fvc",
  "modified": "2024-06-28T21:10:12Z",
  "published": "2024-06-27T21:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6085"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ParisNeo/lollms"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lollms vulnerable to path traversal due to unauthenticated root folder settings change"
}

GHSA-9CHX-2VQW-8VQ5

Vulnerability from github – Published: 2022-02-01 00:01 – Updated: 2026-01-23 22:41
VLAI
Summary
Duplicate Advisory: Path Traversal in the Logs plugin for Craft CMS
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-fp63-499m-hq6m. This link is maintained to preserve external references.

Original Description

The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ether/logs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-08T16:08:49Z",
    "nvd_published_at": "2022-01-31T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-fp63-499m-hq6m. This link is maintained to preserve external references.\n\n## Original Description\nThe Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.",
  "id": "GHSA-9chx-2vqw-8vq5",
  "modified": "2026-01-23T22:41:41Z",
  "published": "2022-02-01T00:01:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethercreative/logs"
    },
    {
      "type": "WEB",
      "url": "https://plugins.craftcms.com/logs"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/vulnerability-lab"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165706/Ethercreative-Logs-3.0.3-Path-Traversal.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Path Traversal in the Logs plugin for Craft CMS",
  "withdrawn": "2026-01-23T22:41:41Z"
}

GHSA-9CM7-H72Q-68C2

Vulnerability from github – Published: 2022-05-02 03:16 – Updated: 2022-05-02 03:16
VLAI
Details

Directory traversal vulnerability in check_lang.php in Yet Another NOCC (YANOCC) 0.1.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-11T00:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Directory traversal vulnerability in check_lang.php in Yet Another NOCC (YANOCC) 0.1.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.",
  "id": "GHSA-9cm7-h72q-68c2",
  "modified": "2022-05-02T03:16:12Z",
  "published": "2022-05-02T03:16:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0515"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48608"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/8020"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33862"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33704"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/0383"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9CP7-J3F8-P5JX

Vulnerability from github – Published: 2026-04-10 22:11 – Updated: 2026-04-10 22:11
VLAI
Summary
Daptin has Unauthenticated Path Traversal and Zip Slip
Details

Impact

The cloudstore.file.upload action in server/actions/action_cloudstore_file_upload.go writes user-supplied filenames directly to disk without proper validation.

This allows unauthenticated attackers to perform path traversal and zip slip attacks, leading to arbitrary file write and potential remote code execution.

CVSS Score: 10.0 Critical CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H CWE: CWE-22 (Path Traversal)

Patches

Upgrade to a patched version once released. The vulnerability affects all versions <= v0.11.3 (latest).

Workarounds

Restrict access to the cloudstore.file.upload action through authentication and authorization controls until a patch is available.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.11.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/daptin/daptin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T22:11:04Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe `cloudstore.file.upload` action in `server/actions/action_cloudstore_file_upload.go` writes user-supplied filenames directly to disk without proper validation. \n\nThis allows unauthenticated attackers to perform path traversal and zip slip attacks, leading to arbitrary file write and potential remote code execution.\n\n**CVSS Score:** 10.0 Critical\n**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H\n**CWE:** CWE-22 (Path Traversal)\n\n### Patches\n\nUpgrade to a patched version once released. The vulnerability affects all versions \u003c= v0.11.3 (latest).\n\n### Workarounds\n\nRestrict access to the cloudstore.file.upload action through authentication and authorization controls until a patch is available.",
  "id": "GHSA-9cp7-j3f8-p5jx",
  "modified": "2026-04-10T22:11:04Z",
  "published": "2026-04-10T22:11:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/daptin/daptin/security/advisories/GHSA-9cp7-j3f8-p5jx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/daptin/daptin/commit/8d626bbb14f82160a08cbca53e0749f475f5742c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/daptin/daptin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Daptin has Unauthenticated Path Traversal and Zip Slip"
}

GHSA-9CP9-8GW2-8V7M

Vulnerability from github – Published: 2024-10-08 21:31 – Updated: 2024-10-11 16:49
VLAI
Summary
Adguard Home arbitrary file read vulnerability
Details

An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/AdguardTeam/AdGuardHome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.107.53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T22:30:52Z",
    "nvd_published_at": "2024-10-08T19:15:13Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory.",
  "id": "GHSA-9cp9-8gw2-8v7m",
  "modified": "2024-10-11T16:49:13Z",
  "published": "2024-10-08T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdguardTeam/AdGuardHome/commit/e8fd4b187287a562cbe9018999e5ea576b4c7d68"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AdguardTeam/AdGuardHome"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdguardTeam/AdGuardHome/blob/7c002e1a99b9b4e4a40e8c66851eda33e666d52d/internal/filtering/http.go#L23C1-L51C2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/itz-d0dgy"
    },
    {
      "type": "WEB",
      "url": "https://happy-little-accidents.pages.dev/posts/CVE-2024-36814"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Adguard Home arbitrary file read vulnerability"
}

GHSA-9CQ9-W9QM-WC9P

Vulnerability from github – Published: 2026-06-30 18:31 – Updated: 2026-06-30 18:31
VLAI
Details

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T17:16:25Z",
    "severity": "HIGH"
  },
  "details": "SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants\u0027 buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.",
  "id": "GHSA-9cq9-w9qm-wc9p",
  "modified": "2026-06-30T18:31:40Z",
  "published": "2026-06-30T18:31:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/seaweedfs/seaweedfs/pull/9931"
    },
    {
      "type": "WEB",
      "url": "https://github.com/seaweedfs/seaweedfs/commit/0345658ea8e7c6a3948ad190634b00866ec244c9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geo-chen/oss/blob/main/seaweedfs.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/seaweedfs/seaweedfs/releases/tag/4.34"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/seaweedfs-cross-bucket-object-deletion-via-deleteobjects-request-body-keys"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9CQP-Q38M-RFW4

Vulnerability from github – Published: 2025-02-12 18:31 – Updated: 2025-02-20 21:30
VLAI
Details

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), unzipping an archive can lead to arbitrary file system access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T16:15:39Z",
    "severity": "HIGH"
  },
  "details": "In Progress\u00ae Telerik\u00ae Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), unzipping an archive can lead to arbitrary file system access.",
  "id": "GHSA-9cqp-q38m-rfw4",
  "modified": "2025-02-20T21:30:50Z",
  "published": "2025-02-12T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11343"
    },
    {
      "type": "WEB",
      "url": "https://docs.telerik.com/devtools/document-processing/knowledge-base/kb-security-path-traversal-cve-2024-11343"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CQV-QVMJ-XRC4

Vulnerability from github – Published: 2026-07-13 03:31 – Updated: 2026-07-13 03:31
VLAI
Details

A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T03:16:16Z",
    "severity": "LOW"
  },
  "details": "A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.",
  "id": "GHSA-9cqv-qvmj-xrc4",
  "modified": "2026-07-13T03:31:48Z",
  "published": "2026-07-13T03:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tugcantopaloglu/godot-mcp/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tugcantopaloglu/godot-mcp/commit/eb63add552aa4bd9205395cf91b40654654a3cf2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tugcantopaloglu/godot-mcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-15522"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/854523"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377851"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377851/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9CR3-63PG-942X

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2025-10-22 00:32
VLAI
Details

Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21997, CVE-2022-22717, CVE-2022-22718.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21997, CVE-2022-22717, CVE-2022-22718.",
  "id": "GHSA-9cr3-63pg-942x",
  "modified": "2025-10-22T00:32:28Z",
  "published": "2022-02-10T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21999"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21999"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21999"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166344/Windows-SpoolFool-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CR9-25Q5-8PRJ

Vulnerability from github – Published: 2026-05-29 22:30 – Updated: 2026-05-29 22:30
VLAI
Summary
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
Details

Summary

The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcp_server/adapters/cli_tools.py:

"registers four file-handling tools by default, praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments… with no containment check."

Commit 68cc9427 ("fix(security): harden MCP rules path handling…") added a _resolve_rule_path() helper and applied it to rules.create, rules.show, and rules.delete. workflow.show was left unchanged. Two adjacent handlers in the same file have the same pattern, workflow.validate and deploy.validate. Neither was mentioned in the original advisory. Both remain unchanged.

The original advisory also identified the dispatcher (server.py:281-298) as a root cause. It accepts unvalidated **kwargs from params["arguments"] with no enforcement against the tool's declared input_schema. That code is unchanged in HEAD as of commit 42221210.

Result: A single unauthenticated MCP tools/call to praisonai.workflow.show returns the contents of any file the host user can read: /etc/passwd, ~/.ssh/id_rsa, ~/.aws/credentials, or any project .env.

Affected functionality

src/praisonai/praisonai/mcp_server/adapters/cli_tools.py:

Lines Tool Bug
63-73 praisonai.workflow.show Returns the full contents of any file the host user can read
42-61 praisonai.workflow.validate Reads any path; YAML parser error messages leak file existence + content fragments
415-432 praisonai.deploy.validate Same pattern as workflow.validate. The config_path="deploy.yaml" default does not constrain the input.

src/praisonai/praisonai/mcp_server/server.py:281-298, _handle_tools_call:

async def _handle_tools_call(self, params: Dict[str, Any]) -> Dict[str, Any]:
    tool_name = params.get("name")
    arguments = params.get("arguments", {})
    ...
    tool = self._tool_registry.get(tool_name)
    ...
    if asyncio.iscoroutinefunction(tool.handler):
        result = await tool.handler(**arguments)        # ← no schema enforcement
    else:
        result = tool.handler(**arguments)

Any JSON arguments the MCP client sends become a **kwargs call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.

Default deployment is exposed

src/praisonai/praisonai/mcp_server/transports/http_stream.py:38-91:

  • host defaults to 127.0.0.1, which is still reachable from any local process or container neighbour on loopback.
  • api_key defaults to None. The auth check at http_stream.py:192-198 is gated on if self.api_key:, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.
  • The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).

Other file-read sinks reachable via the same dispatcher

These were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to cli_tools.py:

  • mcp_server/adapters/capabilities.py:19-28, praisonai.audio.transcribe(file_path). Opens any host file and ships it to OpenAI Whisper.
  • mcp_server/adapters/extended_capabilities.py:47-62, praisonai.files.create(file_path). Uploads any host file to OpenAI Files. A follow-up call to praisonai.files.content(file_id) (extended_capabilities.py:103-113) returns the bytes.
  • mcp_server/adapters/extended_capabilities.py:243-258, praisonai.ocr_extract(image_path). Opens any image, returns OCR text.

The three handlers in cli_tools.py are the most direct primitives, since they echo the file content back without an OpenAI round-trip.

Proof of Concept

Layout

PraisonAI/
└── poc/
    ├── start_mcp_server.sh         ← starts the real MCP server
    ├── run_mcp_poc_video.sh        ← runs the attack with curl
    ├── venv/                       
    └── output/
        ├── mcp_server_run.log
        ├── mcp_attacker_run.log
        └── synthetic_credentials.txt   (PoC-only fake creds)

start_mcp_server.sh run_mcp_poc_video.sh

The server starter runs the real MCPServer class with register_cli_tools(), same code path praisonai mcp serve --transport http-stream uses. No mocks.

How to reproduce

Terminal 1, start the server:

cd PraisonAI
bash poc/start_mcp_server.sh

Boots MCPServer on 127.0.0.1:8766/mcp with no auth, matching the documented default api_key=None.

Terminal 2, run the attack:

cd PraisonAI
bash poc/run_mcp_poc_video.sh

Six numbered steps. Each one prints the action, runs one curl, prints the JSON-RPC response.

workflow.validate leaks /etc/hosts:

{ "result": { "content": [{ "type": "text",
  "text": "YAML error: while scanning for the next token\nfound character '\\t' that cannot start any token\n  in \"/etc/hosts\", line 7, column 10" }] } }

The parser error message confirms the file exists and includes a fragment of its content.

deploy.validate leaks ~/.ssh/known_hosts:

{ "result": { "content": [{ "type": "text",
  "text": "Error: expected '<document start>', but found '<scalar>'\n  in \"/Users/<victim>/.ssh/known_hosts\", line 1, column 13" }] } }

workflow.show exfiltrates a credential file:

{ "result": { "content": [{ "type": "text",
  "text": "# AWS-style credentials (SYNTHETIC, for PoC only)\n[default]\naws_access_key_id = AKIA-FAKE-EXFIL-KEY-FOR-POC\naws_secret_access_key = synthetic-secret-do-not-actually-exist-12345\n\n# .env-style secrets\nDATABASE_URL=postgres://app:hunter2@db.internal/prod\nSLACK_BOT_TOKEN=xoxb-FAKE-TOKEN-for-poc-only\nOPENAI_API_KEY=sk-FAKE-FOR-POC\n" }] } }

The PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer's real secrets. The same call reads ~/.ssh/id_rsa, ~/.aws/credentials, or any project .env if you point it there.

https://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a

Impact

  • Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project .env files, ~/.netrc, ~/.docker/config.json, browser cookie databases, and the system password file.
  • No authentication required. The default is api_key=None (http_stream.py:91). The auth check at http_stream.py:192-198 is wrapped in if self.api_key:, so it does not run when no key is configured.
  • No operator misconfiguration required. This is the documented default.
  • The original advisory's exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same tools/call and returning the response. No operator click is needed beyond "summarise this page".

The original advisory was Critical because the write primitive (rules.create) chained to RCE through .pth injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.

Suggested fix

There are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.

1. Enforce tool.input_schema in the dispatcher

mcp_server/server.py:281-298. The schemas are already built reflectively from each handler's signature in registry.py:320-376. Validate arguments against the registered schema before calling tool.handler(**arguments) and reject anything that does not match. This covers workflow.show, workflow.validate, deploy.validate, audio.transcribe, files.create, ocr_extract, and any handler added later.

2. Per-handler containment

This is the same shape as the existing _resolve_rule_path() helper added in commit 68cc9427:

# cli_tools.py
def _resolve_workflow_path(file_path: str) -> Path:
    """Restrict workflow file_path to an allowed root."""
    if not isinstance(file_path, str) or not file_path:
        raise ValueError("file_path must be a non-empty string")
    if "\x00" in file_path or file_path.startswith("~"):
        raise ValueError(f"invalid file_path: {file_path!r}")
    workflows_root = Path(os.path.expanduser("~/.praison/workflows")).resolve()
    workflows_root.mkdir(parents=True, exist_ok=True)
    candidate = (workflows_root / file_path).resolve()
    try:
        candidate.relative_to(workflows_root)
    except ValueError:
        raise ValueError(f"invalid file_path: {file_path!r}")
    return candidate

Apply the same helper to:

  • workflow_show(file_path) and workflow_validate(file_path). Restrict to a workflow root.
  • deploy_validate(config_path). Restrict to a deploy-config root or an explicit allowlist.
  • The default="deploy.yaml" fallback resolves into the user's current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.39"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:30:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`:\n\n\u003e \"registers four file-handling tools by default, `praisonai.rules.create`, `praisonai.rules.show`, `praisonai.rules.delete`, **and `praisonai.workflow.show`**. Each accepts a path or filename string from MCP `tools/call` arguments\u2026 **with no containment check**.\"\n\nCommit `68cc9427` (\"fix(security): harden MCP rules path handling\u2026\") added a `_resolve_rule_path()` helper and applied it to `rules.create`, `rules.show`, and `rules.delete`. `workflow.show` was left unchanged. Two adjacent handlers in the same file have the same pattern, `workflow.validate` and `deploy.validate`. Neither was mentioned in the original advisory. Both remain unchanged.\n\nThe original advisory also identified the dispatcher (`server.py:281-298`) as a root cause. It accepts unvalidated `**kwargs` from `params[\"arguments\"]` with no enforcement against the tool\u0027s declared `input_schema`. That code is unchanged in HEAD as of commit `42221210`.\n\n**Result**: A single unauthenticated MCP `tools/call` to `praisonai.workflow.show` returns the contents of any file the host user can read: `/etc/passwd`, `~/.ssh/id_rsa`, `~/.aws/credentials`, or any project `.env`.\n\n## Affected functionality\n\n`src/praisonai/praisonai/mcp_server/adapters/cli_tools.py`:\n\n| Lines | Tool | Bug |\n|-------|------|-----|\n| 63-73 | `praisonai.workflow.show` | Returns the full contents of any file the host user can read |\n| 42-61 | `praisonai.workflow.validate` | Reads any path; YAML parser error messages leak file existence + content fragments |\n| 415-432 | `praisonai.deploy.validate` | Same pattern as `workflow.validate`. The `config_path=\"deploy.yaml\"` default does not constrain the input. |\n\n`src/praisonai/praisonai/mcp_server/server.py:281-298`, `_handle_tools_call`:\n\n```python\nasync def _handle_tools_call(self, params: Dict[str, Any]) -\u003e Dict[str, Any]:\n    tool_name = params.get(\"name\")\n    arguments = params.get(\"arguments\", {})\n    ...\n    tool = self._tool_registry.get(tool_name)\n    ...\n    if asyncio.iscoroutinefunction(tool.handler):\n        result = await tool.handler(**arguments)        # \u2190 no schema enforcement\n    else:\n        result = tool.handler(**arguments)\n```\n\nAny JSON arguments the MCP client sends become a `**kwargs` call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.\n\n## Default deployment is exposed\n\n`src/praisonai/praisonai/mcp_server/transports/http_stream.py:38-91`:\n\n- `host` defaults to `127.0.0.1`, which is still reachable from any local process or container neighbour on loopback.\n- `api_key` defaults to `None`. The auth check at `http_stream.py:192-198` is gated on `if self.api_key:`, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.\n- The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).\n\n## Other file-read sinks reachable via the same dispatcher\n\nThese were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to `cli_tools.py`:\n\n- `mcp_server/adapters/capabilities.py:19-28`, `praisonai.audio.transcribe(file_path)`. Opens any host file and ships it to OpenAI Whisper.\n- `mcp_server/adapters/extended_capabilities.py:47-62`, `praisonai.files.create(file_path)`. Uploads any host file to OpenAI Files. A follow-up call to `praisonai.files.content(file_id)` (`extended_capabilities.py:103-113`) returns the bytes.\n- `mcp_server/adapters/extended_capabilities.py:243-258`, `praisonai.ocr_extract(image_path)`. Opens any image, returns OCR text.\n\nThe three handlers in `cli_tools.py` are the most direct primitives, since they echo the file content back without an OpenAI round-trip.\n\n## Proof of Concept\n\n### Layout\n```\nPraisonAI/\n\u2514\u2500\u2500 poc/\n    \u251c\u2500\u2500 start_mcp_server.sh         \u2190 starts the real MCP server\n    \u251c\u2500\u2500 run_mcp_poc_video.sh        \u2190 runs the attack with curl\n    \u251c\u2500\u2500 venv/                       \n    \u2514\u2500\u2500 output/\n        \u251c\u2500\u2500 mcp_server_run.log\n        \u251c\u2500\u2500 mcp_attacker_run.log\n        \u2514\u2500\u2500 synthetic_credentials.txt   (PoC-only fake creds)\n```\n\n[start_mcp_server.sh](https://github.com/user-attachments/files/27569524/start_mcp_server.sh)\n[run_mcp_poc_video.sh](https://github.com/user-attachments/files/27569525/run_mcp_poc_video.sh)\n\nThe server starter runs the real `MCPServer` class with `register_cli_tools()`, same code path `praisonai mcp serve --transport http-stream` uses. No mocks.\n\n### How to reproduce\n\n**Terminal 1, start the server**:\n```bash\ncd PraisonAI\nbash poc/start_mcp_server.sh\n```\nBoots `MCPServer` on `127.0.0.1:8766/mcp` with no auth, matching the documented default `api_key=None`.\n\n**Terminal 2, run the attack**:\n```bash\ncd PraisonAI\nbash poc/run_mcp_poc_video.sh\n```\nSix numbered steps. Each one prints the action, runs one `curl`, prints the JSON-RPC response.\n\n**`workflow.validate` leaks `/etc/hosts`:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n  \"text\": \"YAML error: while scanning for the next token\\nfound character \u0027\\\\t\u0027 that cannot start any token\\n  in \\\"/etc/hosts\\\", line 7, column 10\" }] } }\n```\nThe parser error message confirms the file exists and includes a fragment of its content.\n\n**`deploy.validate` leaks `~/.ssh/known_hosts`:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n  \"text\": \"Error: expected \u0027\u003cdocument start\u003e\u0027, but found \u0027\u003cscalar\u003e\u0027\\n  in \\\"/Users/\u003cvictim\u003e/.ssh/known_hosts\\\", line 1, column 13\" }] } }\n```\n\n**`workflow.show` exfiltrates a credential file:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n  \"text\": \"# AWS-style credentials (SYNTHETIC, for PoC only)\\n[default]\\naws_access_key_id = AKIA-FAKE-EXFIL-KEY-FOR-POC\\naws_secret_access_key = synthetic-secret-do-not-actually-exist-12345\\n\\n# .env-style secrets\\nDATABASE_URL=postgres://app:hunter2@db.internal/prod\\nSLACK_BOT_TOKEN=xoxb-FAKE-TOKEN-for-poc-only\\nOPENAI_API_KEY=sk-FAKE-FOR-POC\\n\" }] } }\n```\n\nThe PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer\u0027s real secrets. The same call reads `~/.ssh/id_rsa`, `~/.aws/credentials`, or any project `.env` if you point it there.\n\nhttps://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a\n\n\n## Impact\n\n- Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project `.env` files, `~/.netrc`, `~/.docker/config.json`, browser cookie databases, and the system password file.\n- No authentication required. The default is `api_key=None` (`http_stream.py:91`). The auth check at `http_stream.py:192-198` is wrapped in `if self.api_key:`, so it does not run when no key is configured.\n- No operator misconfiguration required. This is the documented default.\n- The original advisory\u0027s exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same `tools/call` and returning the response. No operator click is needed beyond \"summarise this page\".\n\nThe original advisory was Critical because the write primitive (rules.create) chained to RCE through `.pth` injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.\n\n## Suggested fix\n\nThere are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.\n\n### 1. Enforce `tool.input_schema` in the dispatcher\n\n`mcp_server/server.py:281-298`. The schemas are already built reflectively from each handler\u0027s signature in `registry.py:320-376`. Validate `arguments` against the registered schema before calling `tool.handler(**arguments)` and reject anything that does not match. This covers `workflow.show`, `workflow.validate`, `deploy.validate`, `audio.transcribe`, `files.create`, `ocr_extract`, and any handler added later.\n\n### 2. Per-handler containment\n\nThis is the same shape as the existing `_resolve_rule_path()` helper added in commit `68cc9427`:\n\n```python\n# cli_tools.py\ndef _resolve_workflow_path(file_path: str) -\u003e Path:\n    \"\"\"Restrict workflow file_path to an allowed root.\"\"\"\n    if not isinstance(file_path, str) or not file_path:\n        raise ValueError(\"file_path must be a non-empty string\")\n    if \"\\x00\" in file_path or file_path.startswith(\"~\"):\n        raise ValueError(f\"invalid file_path: {file_path!r}\")\n    workflows_root = Path(os.path.expanduser(\"~/.praison/workflows\")).resolve()\n    workflows_root.mkdir(parents=True, exist_ok=True)\n    candidate = (workflows_root / file_path).resolve()\n    try:\n        candidate.relative_to(workflows_root)\n    except ValueError:\n        raise ValueError(f\"invalid file_path: {file_path!r}\")\n    return candidate\n```\n\nApply the same helper to:\n\n- `workflow_show(file_path)` and `workflow_validate(file_path)`. Restrict to a workflow root.\n- `deploy_validate(config_path)`. Restrict to a deploy-config root or an explicit allowlist.\n- The `default=\"deploy.yaml\"` fallback resolves into the user\u0027s current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.",
  "id": "GHSA-9cr9-25q5-8prj",
  "modified": "2026-05-29T22:30:58Z",
  "published": "2026-05-29T22:30:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9cr9-25q5-8prj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-21.1
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.
Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-34
Architecture and Design Operation

Strategy: Attack Surface Reduction

  • Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.
  • This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.
Mitigation MIT-16
Operation Implementation

Strategy: Environment Hardening

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CAPEC-126: Path Traversal

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.