Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Path Traversal In Windows #1714

Closed
LLfam opened this issue Sep 26, 2020 · 4 comments
Closed

[Security] Path Traversal In Windows #1714

LLfam opened this issue Sep 26, 2020 · 4 comments
Assignees
@pmlopes
Labels
bug
Milestone
3.9.4

Comments

@LLfam
Copy link

LLfam commented Sep 26, 2020
edited
Loading

Hi, I think there is a potential vul in io.vertx.ext.web.handler.StaticHandler.

Example code:
https://github.com/vert-x3/vertx-examples/blob/3.x/web-examples/src/main/java/io/vertx/example/web/staticsite/Server.java

Use PoC below will lead to Path Traversal in Windows
PoC:
http://ip:8080/%5c..%5cServer.java

%5c..%5c is a legitimate path for the URI spec. But in Handler, directly use it to find some resources is not security.

In io.vertx.ext.web.handler.impl.StaticHandlerImpl#handle, io.vertx.core.http.impl.HttpUtils#removeDots just sanitize /../ without considering \..\. So it will lead a Path Traversal in Windows.
@LLfam LLfam added the bug label Sep 26, 2020
@pmlopes pmlopes self-assigned this Sep 27, 2020
@pmlopes pmlopes added this to the 4.0.0 milestone Sep 27, 2020
pmlopes added a commit that referenced this issue Sep 29, 2020
@pmlopes
Fixes #1714: Handle all paths as UNIX
375c656 
Signed-off-by: Paulo Lopes <pmlopes@gmail.com>

(cherry picked from commit d519a09)
Signed-off-by: Paulo Lopes <pmlopes@gmail.com>
@tmousaw-ptc
Copy link

Any chance that this will be backported to a 3.9.x patch release since this has a pretty high CVSS score per Sonatype?

@LLfam
Copy link
Author

LLfam commented Oct 7, 2020

Hi, when I search CVE for this issue, i found CVE-2018-12542.
The vul I found is same as vul mentioned in issue#1025. This vul is fixed in Release 3.5.4. But Release 3.6.0+ is same as 3.5.3 that vul isn't fixed.
I don't know how it is caused.

@vietj
Copy link
Contributor

vietj commented Oct 7, 2020 via email

vietj pushed a commit that referenced this issue Oct 15, 2020
@pmlopes @vietj
Fixes #1714: Handle all paths as UNIX (CVE-2019-17640)
b12f7c4 
Signed-off-by: Paulo Lopes <pmlopes@gmail.com>

(cherry picked from commit d519a09)
Signed-off-by: Paulo Lopes <pmlopes@gmail.com>
@vietj vietj modified the milestones: 4.0.0, 3.9.4 Oct 15, 2020
@vietj
Copy link
Contributor

vietj commented Oct 15, 2020

This has been recorded as CVE-2019-17640

@cescoffier cescoffier mentioned this issue Oct 17, 2020
Merged
@mend-for-github-com mend-for-github-com bot mentioned this issue Dec 16, 2020
Open
1 task
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 10, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 10, 2021
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Aug 19, 2021
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Nov 3, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmlopes pmlopes

Labels
bug
Milestone
3.9.4
Development

No branches or pull requests
4 participants
@vietj @pmlopes @LLfam @tmousaw-ptc