GHSA-3227-R97M-8J95
Vulnerability from github – Published: 2022-04-22 20:16 – Updated: 2022-04-22 20:16
VLAI
Summary
Relative Path Traversal in afire serve_static
Details
Impact
This vulnerability effects the built-in afire serve_static extension allowing paths containing //.... to bypass the previous path sanitation and request files in higher directories that should not be accessible.
Patches
The issue has been fixed in afire 1.1.0. If you can, just update to the newest version of afire.
Workarounds
If you can't update afire you can simply disallow paths containing /.. with the following middleware.
Make sure this is the last middleware added to the server so it runs first, stopping the bad requests.
use afire::prelude::*;
struct PathTraversalFix;
impl Middleware for PathTraversalFix {
fn pre(&self, req: Request) -> MiddleRequest {
if req.path.replace("\\", "/").contains("/..") {
return MiddleRequest::Send(
Response::new()
.status(400)
.text("Paths containing `..` are not allowed"),
);
}
MiddleRequest::Continue
}
}
let mut server = Server::new(host, port);
PathTraversalFix.attach(&mut server);
References
You can read about the new changes to afire in 1.1.0 here
For more information
If you have any questions or comments about this advisory you can email me or message me on discord. [https://connorcode.com/contact]
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "afire"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.1"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-34"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:16:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThis vulnerability effects the built-in afire serve_static extension allowing paths containing `//....` to bypass the previous path sanitation and request files in higher directories that should not be accessible.\n\n### Patches\nThe issue has been fixed in [afire 1.1.0](https://crates.io/crates/afire/1.1.0).\nIf you can, just update to the newest version of afire.\n\n### Workarounds\nIf you can\u0027t update afire you can simply disallow paths containing `/..` with the following middleware.\nMake sure this is the last middleware added to the server so it runs first, stopping the bad requests.\n```rust\nuse afire::prelude::*;\n\nstruct PathTraversalFix;\n\nimpl Middleware for PathTraversalFix {\n fn pre(\u0026self, req: Request) -\u003e MiddleRequest {\n if req.path.replace(\"\\\\\", \"/\").contains(\"/..\") {\n return MiddleRequest::Send(\n Response::new()\n .status(400)\n .text(\"Paths containing `..` are not allowed\"),\n );\n }\n\n MiddleRequest::Continue\n }\n}\n```\n```rust\nlet mut server = Server::new(host, port);\nPathTraversalFix.attach(\u0026mut server);\n```\n\n### References\nYou can read about the new changes to afire in 1.1.0 [here](https://connorcode.com/writing/afire/update-3)\n\n### For more information\nIf you have any questions or comments about this advisory you can email me or message me on discord.\n[[https://connorcode.com/contact](https://connorcode.com/contact)]",
"id": "GHSA-3227-r97m-8j95",
"modified": "2022-04-22T20:16:45Z",
"published": "2022-04-22T20:16:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Basicprogrammer10/afire/security/advisories/GHSA-3227-r97m-8j95"
},
{
"type": "WEB",
"url": "https://github.com/Basicprogrammer10/afire/commit/da7904c04f82e1cb43cc42eaf6a1dba072b5c921"
},
{
"type": "PACKAGE",
"url": "https://github.com/Basicprogrammer10/afire"
},
{
"type": "WEB",
"url": "https://github.com/Basicprogrammer10/afire/releases/tag/v1.1.0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Relative Path Traversal in afire serve_static"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…