Listen to this Post
How the CVE Works
The vulnerability arises in eKuiperβs `fileUploadHandler` function, which improperly sanitizes user-supplied filenames. By submitting a crafted path (e.g., ../test), an attacker can bypass directory restrictions and write arbitrary files to locations outside the intended `/kuiper/data/uploads` directory. This occurs because the function fails to validate or normalize the filename, allowing traversal sequences (../) to escape the target folder. The flaw enables overwriting critical system files owned by the `kuiper` user, including binaries, potentially leading to remote code execution.
dailycve form
Platform: eKuiper
Version: <1.6.1
Vulnerability: Path Traversal
Severity: Critical
Date: 2023-03-15
Prediction: Patch by Q2 2023
What Undercode Say
curl -X POST -F "[email protected]" http://<target>/upload?filename=../../bin/kuiper
// Vulnerable code snippet (rest.go):
func fileUploadHandler(c gin.Context) {
filename := c.Query("filename") // Unsanitized input
filepath := filepath.Join(uploadDir, filename) // Path traversal possible
}
How Exploit
1. Upload file with `../` in filename.
2. Overwrite `/kuiper/bin` binaries.
3. Execute arbitrary code as `kuiper` user.
Protection from this CVE
- Sanitize filenames.
- Restrict write permissions.
- Update to v1.6.1+.
Impact
- Remote code execution.
- System compromise.
- Data manipulation.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
