XAPI HTTP directory traversal

ISSUE DESCRIPTION

XAPI has an unauthenticated HTTP endpoint update/ which exports the contents of /var/update for other hosts to use.
However, the resolution of . and … in paths is performed before url unquoting is performed. This allows an attacker to traverse out of the web root.

IMPACT

An unauthenticated user with access to the management network can read arbitrary files from the dom0 filesystem. This includes the pool secret /etc/xensource/ptoken which grants the attacker full administrator access.

VULNERABLE SYSTEMS

All versions of XAPI since v1.13.0 are vulnerable.
If the directory /var/update doesn’t exist, the vulnerability is not exposed.