Listen to this Post
This vulnerability exploits the behavior of Python’s `os.path.join()` function within Flask-AppBuilder’s file upload logic. When the non-default configuration options `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME=True` are both enabled, the application constructs a file path by joining the intended upload directory with the user-supplied filename. If an attacker submits a filename beginning with a forward slash (e.g., /etc/passwd), `os.path.join()` discards the preceding `UPLOAD_DIR` path component entirely. This results in the file being written to the absolute path specified by the attacker, enabling arbitrary file write to any location the application process can access.
dailycve
Platform: Flask-AppBuilder
Version: <0.0.22
Vulnerability: Path Traversal
Severity: Critical
date: 2024
Prediction: Patch released 2024
What Undercode Say:
Simulating the vulnerable path join
python3 -c "import os; print(os.path.join('/app/uploads', '/etc/shadow'))"
Example of malicious upload request malicious_filename = "/etc/cron.d/exploit" When UPLOAD_KEEP_FILENAME=True, the path becomes: os.path.join(UPLOAD_DIR, malicious_filename) -> /etc/cron.d/exploit
How Exploit:
Attacker crafts a multipart file upload request with a filename parameter containing an absolute path (e.g., `../../../../etc/passwd` or /etc/passwd). The application, with the vulnerable configuration, saves the file contents to the attacker-specified location instead of the intended upload directory.
Protection from this CVE:
Upgrade to version 0.0.22. If upgrade is not possible, do not set `UPLOAD_KEEP_FILENAME=True` in the configuration. Implement strict input validation on uploaded filenames, sanitizing path separators.
Impact:
Arbitrary File Write leading to Remote Code Execution, system file corruption, or data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

