Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
2017-03-15T02:26:12
ID H1:213558 Type hackerone Reporter ziot Modified 2017-05-13T21:25:53
Description
As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish.
Manually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.
Steps
Load http://try.discourse.org
Login as an Admin user.
Go to the Backups page:
http://try.discourse.org/admin/backups/
Create a new backup including files.
Extract the backup files to a folder on your server.
Create a symlink to /etc/passwd In the /uploads/ folder of the backup, e.g. /uploads/default/original/1X/[file].jpg.
---> You were able to read file contents of /etc/passwd due to the symlink being extracted from the tar.
{"id": "H1:213558", "hash": "a562349ddbb87de723180ac18c0a7007", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks", "description": "As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish. \n\nManually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.\n\n## Steps\n\n1. Load http://try.discourse.org\n2. Login as an Admin user.\n3. Go to the Backups page:\n * http://try.discourse.org/admin/backups/\n4. Create a new backup including files.\n5. Extract the backup files to a folder on your server.\n6. Create a symlink to `/etc/passwd` In the /uploads/ folder of the backup, e.g. `/uploads/default/original/1X/[file].jpg`.\n * example: `ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png`\n7. Create a .tar.gz from the extracted files.\n8. Upload the newly crafted tar to the server.\n9. Enable `Restore from Backups` in settings if it's not enabled.\n10. Restore from the backup that uploaded.\n11. Go to the uploaded file in your browser after it uploads, e.g.\n * http://try.discourse.org/uploads/default/original/1X/[file].jpg\n12. ---> You were able to read file contents of `/etc/passwd` due to the symlink being extracted from the tar.\n\n", "published": "2017-03-15T02:26:12", "modified": "2017-05-13T21:25:53", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/213558", "reporter": "ziot", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:13", "history": [{"lastseen": "2017-08-28T23:19:23", "bulletin": {"id": "H1:213558", "hash": "9d962dfb82d1e4f5173095ea48be1cb95a83f95395c72e563fcd6542f8069a8e", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks", "description": "As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish. \n\nManually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.\n\n## Steps\n\n1. Load http://try.discourse.org\n2. Login as an Admin user.\n3. Go to the Backups page:\n * http://try.discourse.org/admin/backups/\n4. Create a new backup including files.\n5. Extract the backup files to a folder on your server.\n6. Create a symlink to `/etc/passwd` In the /uploads/ folder of the backup, e.g. `/uploads/default/original/1X/[file].jpg`.\n * example: `ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png`\n7. Create a .tar.gz from the extracted files.\n8. Upload the newly crafted tar to the server.\n9. Enable `Restore from Backups` in settings if it's not enabled.\n10. Restore from the backup that uploaded.\n11. Go to the uploaded file in your browser after it uploads, e.g.\n * http://try.discourse.org/uploads/default/original/1X/[file].jpg\n12. ---> You were able to read file contents of `/etc/passwd` due to the symlink being extracted from the tar.\n\n", "published": "2017-03-15T02:26:12", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/213558", "reporter": "ziot", "references": [], "cvelist": [], "lastseen": "2017-08-28T23:19:23", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "bounty": 512.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/discourse", "handle": "discourse", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/016/893/3dd37e1cfa3d9380ced573b87beae0c950703ddd_small.?1481849067", "medium": "https://profile-photos.hackerone-user-content.com/production/000/016/893/2ee366d05b47833a98f06c29cd5318d1bb134e20_medium.?1481849067"}}, "h1reporter": {"url": "/ziot", "hacker_mediation": false, "disabled": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/262/4157adbeb32efe0951e5d720f5fb0642e151420a_small.jpg?1486519525"}, "username": "ziot"}}, "differentElements": ["modified"], "edition": 2}, {"lastseen": "2018-02-07T16:57:57", "bulletin": {"id": "H1:213558", "hash": "f22ca6a23892d273cd7bc1b1114a19992cbdbdf269d4a6e63a6ed23a20689b3e", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks", "description": "As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish. \n\nManually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.\n\n## Steps\n\n1. Load http://try.discourse.org\n2. Login as an Admin user.\n3. Go to the Backups page:\n * http://try.discourse.org/admin/backups/\n4. Create a new backup including files.\n5. Extract the backup files to a folder on your server.\n6. Create a symlink to `/etc/passwd` In the /uploads/ folder of the backup, e.g. `/uploads/default/original/1X/[file].jpg`.\n * example: `ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png`\n7. Create a .tar.gz from the extracted files.\n8. Upload the newly crafted tar to the server.\n9. Enable `Restore from Backups` in settings if it's not enabled.\n10. Restore from the backup that uploaded.\n11. Go to the uploaded file in your browser after it uploads, e.g.\n * http://try.discourse.org/uploads/default/original/1X/[file].jpg\n12. ---> You were able to read file contents of `/etc/passwd` due to the symlink being extracted from the tar.\n\n", "published": "2017-03-15T02:26:12", "modified": "2017-05-13T21:25:53", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/213558", "reporter": "ziot", "references": [], "cvelist": [], "lastseen": "2018-02-07T16:57:57", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 2.8, "modified": "2018-02-07T16:57:57", "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/"}}, "objectVersion": "1.4", "bounty": 512.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/discourse", "handle": "discourse", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/016/893/3dd37e1cfa3d9380ced573b87beae0c950703ddd_small.?1481849067", "medium": "https://profile-photos.hackerone-user-content.com/production/000/016/893/2ee366d05b47833a98f06c29cd5318d1bb134e20_medium.?1481849067"}}, "h1reporter": {"url": "/ziot", "hacker_mediation": false, "disabled": false, "is_me?": false, "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/262/9e21e996f78cee1b0dc6c64d52dcae32c51d8fc3_small.jpg?1517000974"}, "username": "ziot"}}, "differentElements": ["h1team", "h1reporter"], "edition": 4}, {"lastseen": "2017-08-22T11:09:37", "bulletin": {"id": "H1:213558", "hash": "c968f9000a360191e54ae0628bf170d89f9b05ba7933fce9cc30c7b538b1cb5e", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks", "description": "As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish. \n\nManually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.\n\n## Steps\n\n1. Load http://try.discourse.org\n2. Login as an Admin user.\n3. Go to the Backups page:\n * http://try.discourse.org/admin/backups/\n4. Create a new backup including files.\n5. Extract the backup files to a folder on your server.\n6. Create a symlink to `/etc/passwd` In the /uploads/ folder of the backup, e.g. `/uploads/default/original/1X/[file].jpg`.\n * example: `ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png`\n7. Create a .tar.gz from the extracted files.\n8. Upload the newly crafted tar to the server.\n9. Enable `Restore from Backups` in settings if it's not enabled.\n10. Restore from the backup that uploaded.\n11. Go to the uploaded file in your browser after it uploads, e.g.\n * http://try.discourse.org/uploads/default/original/1X/[file].jpg\n12. ---> You were able to read file contents of `/etc/passwd` due to the symlink being extracted from the tar.\n\n", "published": "2017-03-15T02:26:12", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/213558", "reporter": "ziot", "references": [], "cvelist": [], "lastseen": "2017-08-22T11:09:37", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "bounty": 512.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/discourse", "handle": "discourse", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/016/893/3dd37e1cfa3d9380ced573b87beae0c950703ddd_small.?1481849067", "medium": "https://profile-photos.hackerone-user-content.com/production/000/016/893/2ee366d05b47833a98f06c29cd5318d1bb134e20_medium.?1481849067"}}, "h1reporter": {"url": "/ziot", "hacker_mediation": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/262/4157adbeb32efe0951e5d720f5fb0642e151420a_small.jpg?1486519525"}, "disabled": false, "username": "ziot"}}, "differentElements": ["h1reporter"], "edition": 1}, {"lastseen": "2017-08-29T13:11:21", "bulletin": {"id": "H1:213558", "hash": "d70826ba4e151f8d8b5b6ff4a390ca1b25cf409d022ba619fe5e3613e6a34e6a", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks", "description": "As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish. \n\nManually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.\n\n## Steps\n\n1. Load http://try.discourse.org\n2. Login as an Admin user.\n3. Go to the Backups page:\n * http://try.discourse.org/admin/backups/\n4. Create a new backup including files.\n5. Extract the backup files to a folder on your server.\n6. Create a symlink to `/etc/passwd` In the /uploads/ folder of the backup, e.g. `/uploads/default/original/1X/[file].jpg`.\n * example: `ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png`\n7. Create a .tar.gz from the extracted files.\n8. Upload the newly crafted tar to the server.\n9. Enable `Restore from Backups` in settings if it's not enabled.\n10. Restore from the backup that uploaded.\n11. Go to the uploaded file in your browser after it uploads, e.g.\n * http://try.discourse.org/uploads/default/original/1X/[file].jpg\n12. ---> You were able to read file contents of `/etc/passwd` due to the symlink being extracted from the tar.\n\n", "published": "2017-03-15T02:26:12", "modified": "2017-05-13T21:25:53", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/213558", "reporter": "ziot", "references": [], "cvelist": [], "lastseen": "2017-08-29T13:11:21", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.3, "modified": "2017-08-29T13:11:21"}}, "objectVersion": "1.4", "bounty": 512.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/discourse", "handle": "discourse", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/016/893/3dd37e1cfa3d9380ced573b87beae0c950703ddd_small.?1481849067", "medium": "https://profile-photos.hackerone-user-content.com/production/000/016/893/2ee366d05b47833a98f06c29cd5318d1bb134e20_medium.?1481849067"}}, "h1reporter": {"url": "/ziot", "hacker_mediation": false, "disabled": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/262/4157adbeb32efe0951e5d720f5fb0642e151420a_small.jpg?1486519525"}, "username": "ziot"}}, "differentElements": ["h1reporter"], "edition": 3}], "viewCount": 3, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-04-19T17:34:13"}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:13"}, "vulnersScore": 0.6}, "objectVersion": "1.4", "bounty": 512.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/discourse", "handle": "discourse", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/016/893/3dd37e1cfa3d9380ced573b87beae0c950703ddd_small.?1481849067", "medium": "https://profile-photos.hackerone-user-content.com/000/016/893/2ee366d05b47833a98f06c29cd5318d1bb134e20_medium.?1481849067"}}, "h1reporter": {"url": "/ziot", "hacker_mediation": false, "disabled": false, "is_me?": false, "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/003/262/9e21e996f78cee1b0dc6c64d52dcae32c51d8fc3_small.jpg?1517000974"}, "username": "ziot"}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}
