CWE-34
AllowedPath Traversal: '....//'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.
2 vulnerabilities reference this CWE, most recent first.
GHSA-3227-R97M-8J95
Vulnerability from github – Published: 2022-04-22 20:16 – Updated: 2022-04-22 20:16Impact
This vulnerability effects the built-in afire serve_static extension allowing paths containing //.... to bypass the previous path sanitation and request files in higher directories that should not be accessible.
Patches
The issue has been fixed in afire 1.1.0. If you can, just update to the newest version of afire.
Workarounds
If you can't update afire you can simply disallow paths containing /.. with the following middleware.
Make sure this is the last middleware added to the server so it runs first, stopping the bad requests.
use afire::prelude::*;
struct PathTraversalFix;
impl Middleware for PathTraversalFix {
fn pre(&self, req: Request) -> MiddleRequest {
if req.path.replace("\\", "/").contains("/..") {
return MiddleRequest::Send(
Response::new()
.status(400)
.text("Paths containing `..` are not allowed"),
);
}
MiddleRequest::Continue
}
}
let mut server = Server::new(host, port);
PathTraversalFix.attach(&mut server);
References
You can read about the new changes to afire in 1.1.0 here
For more information
If you have any questions or comments about this advisory you can email me or message me on discord. [https://connorcode.com/contact]
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "afire"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.1"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-34"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:16:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThis vulnerability effects the built-in afire serve_static extension allowing paths containing `//....` to bypass the previous path sanitation and request files in higher directories that should not be accessible.\n\n### Patches\nThe issue has been fixed in [afire 1.1.0](https://crates.io/crates/afire/1.1.0).\nIf you can, just update to the newest version of afire.\n\n### Workarounds\nIf you can\u0027t update afire you can simply disallow paths containing `/..` with the following middleware.\nMake sure this is the last middleware added to the server so it runs first, stopping the bad requests.\n```rust\nuse afire::prelude::*;\n\nstruct PathTraversalFix;\n\nimpl Middleware for PathTraversalFix {\n fn pre(\u0026self, req: Request) -\u003e MiddleRequest {\n if req.path.replace(\"\\\\\", \"/\").contains(\"/..\") {\n return MiddleRequest::Send(\n Response::new()\n .status(400)\n .text(\"Paths containing `..` are not allowed\"),\n );\n }\n\n MiddleRequest::Continue\n }\n}\n```\n```rust\nlet mut server = Server::new(host, port);\nPathTraversalFix.attach(\u0026mut server);\n```\n\n### References\nYou can read about the new changes to afire in 1.1.0 [here](https://connorcode.com/writing/afire/update-3)\n\n### For more information\nIf you have any questions or comments about this advisory you can email me or message me on discord.\n[[https://connorcode.com/contact](https://connorcode.com/contact)]",
"id": "GHSA-3227-r97m-8j95",
"modified": "2022-04-22T20:16:45Z",
"published": "2022-04-22T20:16:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Basicprogrammer10/afire/security/advisories/GHSA-3227-r97m-8j95"
},
{
"type": "WEB",
"url": "https://github.com/Basicprogrammer10/afire/commit/da7904c04f82e1cb43cc42eaf6a1dba072b5c921"
},
{
"type": "PACKAGE",
"url": "https://github.com/Basicprogrammer10/afire"
},
{
"type": "WEB",
"url": "https://github.com/Basicprogrammer10/afire/releases/tag/v1.1.0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Relative Path Traversal in afire serve_static"
}
GHSA-W25V-58XW-9XCX
Vulnerability from github – Published: 2023-10-18 00:31 – Updated: 2024-04-04 08:45A lack of input sanitizing in the file download feature of eSST Monitoring v2.147.1 allows attackers to execute a path traversal.
{
"affected": [],
"aliases": [
"CVE-2023-41629"
],
"database_specific": {
"cwe_ids": [
"CWE-34"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T22:15:17Z",
"severity": "HIGH"
},
"details": "A lack of input sanitizing in the file download feature of eSST Monitoring v2.147.1 allows attackers to execute a path traversal.",
"id": "GHSA-w25v-58xw-9xcx",
"modified": "2024-04-04T08:45:06Z",
"published": "2023-10-18T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41629"
},
{
"type": "WEB",
"url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2023-41629-eSST-Path-Traversal.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.