Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
2017-03-15T02:26:12
ID H1:213558 Type hackerone Reporter ziot Modified 2017-05-13T21:25:53
Description
As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish.
Manually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.
Steps
Load http://try.discourse.org
Login as an Admin user.
Go to the Backups page:
http://try.discourse.org/admin/backups/
Create a new backup including files.
Extract the backup files to a folder on your server.
Create a symlink to /etc/passwd In the /uploads/ folder of the backup, e.g. /uploads/default/original/1X/[file].jpg.
---> You were able to read file contents of /etc/passwd due to the symlink being extracted from the tar.
{"id": "H1:213558", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Discourse: Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks", "description": "As an Admin user on Discourse there is a feature to create, upload, and restore backups. Generating a backup creates a tar file consisting of the database as a SQL file and uploaded files from /public/upload/*. Having the ability to upload these tar files and restore from them, you can add any file that you wish. \n\nManually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to including files outside of the Discourse application directory.\n\n## Steps\n\n1. Load http://try.discourse.org\n2. Login as an Admin user.\n3. Go to the Backups page:\n * http://try.discourse.org/admin/backups/\n4. Create a new backup including files.\n5. Extract the backup files to a folder on your server.\n6. Create a symlink to `/etc/passwd` In the /uploads/ folder of the backup, e.g. `/uploads/default/original/1X/[file].jpg`.\n * example: `ln -s /etc/passwd /home/symlink/files/uploads/default/original/1X/7ad2e8f5fe02890f20503044b604e29e6f3718fd.png`\n7. Create a .tar.gz from the extracted files.\n8. Upload the newly crafted tar to the server.\n9. Enable `Restore from Backups` in settings if it's not enabled.\n10. Restore from the backup that uploaded.\n11. Go to the uploaded file in your browser after it uploads, e.g.\n * http://try.discourse.org/uploads/default/original/1X/[file].jpg\n12. ---> You were able to read file contents of `/etc/passwd` due to the symlink being extracted from the tar.\n\n", "published": "2017-03-15T02:26:12", "modified": "2017-05-13T21:25:53", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/213558", "reporter": "ziot", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:13", "viewCount": 3, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-04-19T17:34:13", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:13", "rev": 2}, "vulnersScore": 0.6}, "bounty": 512.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/discourse", "handle": "discourse", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/016/893/3dd37e1cfa3d9380ced573b87beae0c950703ddd_small.?1481849067", "medium": "https://profile-photos.hackerone-user-content.com/000/016/893/2ee366d05b47833a98f06c29cd5318d1bb134e20_medium.?1481849067"}}, "h1reporter": {"url": "/ziot", "hacker_mediation": false, "disabled": false, "is_me?": false, "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/003/262/9e21e996f78cee1b0dc6c64d52dcae32c51d8fc3_small.jpg?1517000974"}, "username": "ziot"}}
