Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29004: Absolute Path Traversal Vulnerability in hap-wi/roxy-wi

hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. Successful exploitation of this vulnerability could allow an attacker with user level privileges to obtain the content of arbitrary files on the file server within the scope of what the server process has access to. The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.

CVE
#vulnerability#web#apache#nginx#auth

Summary

Hi Roxy-WI Dev Team!

An Absolute Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. The vulnerability lies in an insufficient patch to CVE-2023-25802.

Successful exploitation of this vulnerability could allow an authenticated attacker to obtain the content of arbitrary files within the file server.

Details

The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.

PoC

  1. Send an authenticated HTTP request to /app/options.py as shown below. The PoC retrieves the /etc/passwd, but any files allowed to be read by the user running the HTTPd service can be accessed.

Impact

The vulnerability impacts the confidentiality of the server, allowing attacker to access arbitrary files within the filesystem.

Related news

CVE-2023-25802: v6.3.6.0 · hap-wi/roxy-wi@0054f25

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907