PartKeepr icon indicating copy to clipboard operation
PartKeepr copied to clipboard
verified publisher icon partkeepr

The functionality add attachment to parts allows access to local files.

Open alestorm980 opened this issue 4 years ago • 3 comments

Bug description

In PartKeepr before v1.4.0, the functionality to load attachments using a URL when creating a part, allows the use of the file:// URI scheme, allowing local files to be read.

Steps to reproduce

  1. Go to 'Add Part'.
  2. Click on 'Attachments'.
  3. Click on 'Add'.
  4. Fill the 'URL' field with "file:///etc/passwd".
  5. Click on the uploaded file in order to see the content.

Expected behavior

The application should not allow access to local files.

Observed behavior

Local paths can be used to read files on the system.

Screenshots and files

path_file

passwd_content

System Information

  • PartKeepr Version: v1.4.0 and v0.1.9
  • Operating System: Linux
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql
  • Reproducible on the demo system: Yes.

alestorm980 avatar Jan 04 '22 13:01 alestorm980

This is how most users add locally stored / downloaded data sheets / images etc. Does this allow access to resources that the user does not have permissions for?

On 4 Jan 2022, at 13:53, alestorm980 @.***> wrote:

 Bug description

In PartKeepr before v1.4.0, the functionality to load attachments using a URL when creating a part, allows the use of the file:// URI scheme, allowing local files to be read.

Steps to reproduce

Go to 'Add Part'. Click on 'Attachments'. Click on 'Add'. Fill the 'URL' field with "file:///etc/passwd". Click on the uploaded file in order to see the content. Expected behavior

The application should not allow access to local files.

Observed behavior

Local paths can be used to read files on the system.

Screenshots and files

System Information

PartKeepr Version: v1.4.0 and v0.1.9 Operating System: Linux Web Server: Apache PHP Version: 7.4 Database and version: Mysql Reproducible on the demo system: Yes. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

Gasman2014 avatar Jan 04 '22 14:01 Gasman2014

Yes, it is possible to read files within the server to which the user running the application has access, this includes source code, system configuration files, ssh keys, etc.

For example here an attacker can read a ssh key from the user running the application.

lfi_rsa

alestorm980 avatar Jan 04 '22 14:01 alestorm980

I attach the link to the advisory https://fluidattacks.com/advisories/hendrix/

alestorm980 avatar Jan 06 '22 15:01 alestorm980