Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com
6.8 Medium
AI Score
Confidence
Low
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
70.6%
http://parse.com directory traversal vulnerability|
Little Insight:
http://parse.com was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That
Well this is my 4th reward form facebook Directory Traversal or RCE Vulnerability
That give me 5th position in Facebook white-hat Page
Report Date :23 July 2014
Reward For Directory Traversal or RCE Vulnerability : 20000$
How This work�
As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Railsβ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection it only rejects '/../' segments in the request path.
patch apply for Rack::Protection acording CVE-2014-0130 and also Reject now '%5C' turns into '\' after decoding
now my work β¦
My Findingβ¦
In the above summary ( CVE-2014-0130 ) it rejects '/../' segments in the request path and path is also sanitized to filter out malicious characters like ββ¦%5cβ,
now m try to bypass filter with " \β¦/ or \β¦%2f " segments in the request path more details i am disclose in next post ruby on rails Rack::Protection bypass effected on old version
patch version you can use 4.1.1, 4.0.5, 3.2.18
Now coming back to Parse.com Facebook Acquisitions
here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the http://parse.com server
More Then 5 pages Vulnerable on parse.com with same vector
one of them
Poc Url : https://parse.com/about/\β¦%2f\β¦%2f\β¦%2fGemfile
After some time
i am found how to convert ruby on rails LfI in remote code execution or Shell
Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make possible to make Rce on parse.com
POC URL : https://parse.com/about/\β¦%2f\β¦%2f\β¦%2fproduction .log?codetoexec=?
More about :
The vulnerability mentioned here has been confirmed & fixed by Facebook Team.
Iβwould like to thank Jeff Jarmoc for such a great article and Neal for handling this issue and the vulnerability was patched and the fix was deployed in production within 2 hour after my initial report.
Well this is my 4th reward form facebook Directory Traversal or RCE Vulnerability
That give me 5th position in Facebook white-hat
you can also meet me
** **
Related
6.8 Medium
AI Score
Confidence
Low
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
70.6%