Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks

2017-03-15T02:26:12
ID H1:213558
Type hackerone
Reporter ziot
Modified 2017-05-13T21:25:53

Description

As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish.

Manually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.

Steps

  1. Load http://try.discourse.org
  2. Login as an Admin user.
  3. Go to the Backups page:
  4. http://try.discourse.org/admin/backups/
  5. Create a new backup including files.
  6. Extract the backup files to a folder on your server.
  7. Create a symlink to /etc/passwd In the /uploads/ folder of the backup, e.g. /uploads/default/original/1X/[file].jpg.
  8. example: ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png
  9. Create a .tar.gz from the extracted files.
  10. Upload the newly crafted tar to the server.
  11. Enable Restore from Backups in settings if it's not enabled.
  12. Restore from the backup that uploaded.
  13. Go to the uploaded file in your browser after it uploads, e.g.
  14. http://try.discourse.org/uploads/default/original/1X/[file].jpg
  15. ---> You were able to read file contents of /etc/passwd due to the symlink being extracted from the tar.