Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
RCE via Directory Traversal in CivetWeb HTTP server
Denys Vozniuk & Shachar Menashe - jfrogPosted 4 Years Ago- CivetWeb is a embeddable web server/library. It can be used as a standalone web server or add web server functionality to an existing application.
- CivetWeb has built-in file upload functionality. The API
mg_handle_form_requestis used for uploading the files. The code has directory traversal (../) sanitization. However, there is a logic bug in the compilation that is platform dependent. The logic for protecting works ONLY on Windows builds. As a result, OSX and Linux builds are vulnerable to this attack. - According to the post, there is no validation because of a build-specifc issue. There is a conditional compilation check where the
elsesimply checks that the string does not contain a '&'. In reality, this code SHOULD have bene checking for a backslash '/' instead of this. - The fix is remove all of the 'dot' segments in the code. This prevents the standard directory traversal vulnerability. Overall, good post and an impactful find.
