Relative Path Traversal in flarum/framework

Valid

Reported on

Jun 11th 2021


✍️ Description

Avatar URL from OAuth registration is passed to Intervention Image's ImageManager::make function without any validation on URL. Since ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like storage/somefile.jpg or even absolute paths like /home/someimage.jpg.

🕵️‍♂️ Proof of Concept

  1. Create a fake OAuth Provider.
  2. Return some relative URL avatar_url in User details API call.
  3. It will be passed as input to (new ImageManager)->make($url); which will process the relative path without any validation.

💥 Impact

The data comes from third party integrations ie. extensions that call external OAuth APIs. In some conditions where trusted OAuth provider allows custom URLs as avatar URLs to its users, this bug can be exploited to read local files on the server running flarum as well as server side request forgery.

Jamie Slome
a year ago

Admin


Hey @0xcrypto - we have contacted the maintainer and we are awaiting a response from them.

0xcrypto
a year ago

Researcher


Thanks! Jamie Jamie!

Daniël Klabbers
a year ago

We talked about this internally (although seemingly I have been the only one to get notified). Our code in Registration signifies only a URL is allowed, we just don't validate against it.

So that's we are going to do, thanks for discovering this one.

Please understand that currently no oauth extensions abuse this logic (as owner of the flarum extension directory extiverse.com I just checked each published oauth extension). No users have been impacted so far.

Daniël Klabbers validated this vulnerability a year ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniël Klabbers
a year ago

On another tangent, we think that the severity is overclassified. This vulnerability is not a direct one. Abusing the avatar URL by using the local filesystem instead of providing an avatar URL will cause the ImageManager to error and stop. The only way this system can be used is if the ImageManager does not sanitize its input. Intervention is very reliable, so the chances of this happening are limited.

David Wheatley submitted a
a year ago
0xcrypto
a year ago

Researcher


Thanks for the quick patch!

While fixing, please take the phar meta data deserialization vulnerability in PHP 7.x in consideration. It is possible to pass phar:// url to filesystem functions like file_get_contents (intervention image's ImageManager::make does that internally) and exploit a POP gadget chain from within a phar file. This requires phar file to be uploaded (extensions don't matter here) though.

I am currently analyzing Validator for any bypass to this and will let you know.

David Wheatley
a year ago

Please note that immediately below the Illuminate validator, the patch validates that the URI scheme is http(s), and will otherwise throw an error.

0xcrypto
a year ago

Researcher


good patch!

0xcrypto
a year ago

Researcher


I see that the patch has been merged to the master branch, can we confirm the fix here as well?

David Wheatley
a year ago

I don't think it has been merged yet: https://github.com/flarum/core/compare/master...davwheat:dw/huntr-fix-path-traversal

0xcrypto
a year ago

Researcher


Oh my bad... I confused it for https://github.com/flarum/core/pull/2906

Daniël Klabbers
a year ago

Can the severity be reduced @admin to 2.6:

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

PR: https://github.com/flarum/core/pull/2923

Jamie Slome
a year ago

Admin


Sorted!

David Wheatley submitted a
a year ago
Daniël Klabbers confirmed that a fix has been merged on a0152f a year ago
David Wheatley has been awarded the fix bounty
to join this conversation