Listen to this Post
How the mentioned CVE works:
The make:controller CLI command in FlightPHP’s Runway builds a directory path directly from user-supplied controller name before any class-name validation. The vulnerable code in ControllerCommand.php (lines 63-66) checks if the parent directory exists, then calls mkdir(dirname($controllerPath), 0755, true). Since the controller name can contain “../” sequences, dirname() resolves a path outside the project root. The recursive mkdir executes, creating arbitrary directories anywhere the web server user has write permission. Nette’s class-name validation later rejects the malicious controller name (e.g., containing slashes) and throws an exception, but the directory creation side effect has already occurred. An attacker can create nested directories anywhere on the filesystem, including /tmp, /var/log, or shared CI volumes. On Windows, backslash separators provide additional traversal vectors. The issue exists because validation runs after the filesystem operation. The patch in version 3.18.1 (commit b8dd23a) normalizes the controller name with basename() and validates against ^[A-Za-z_][A-Za-z0-9_]$ before any mkdir call, eliminating the traversal vector.
dailycve form:
Platform: FlightPHP (runway)
Version: <3.18.0
Vulnerability: Path traversal
Severity: Medium
date: 2024-11-20
Prediction: 2024-11-22
What Undercode Say:
Check affected version composer show flightphp/runway | grep versions Simulate the vulnerability (PoC) php vendor/flightphp/runway/runway make:controller '../../../../tmp/pwn_test/dir' Verify directory creation ls -la /tmp/pwn_test/ Patch verification after update grep -A5 "validateControllerName" vendor/flightphp/runway/src/Commands/ControllerCommand.php
Exploit:
Create traversal payload PAYLOAD="../../../../var/www/html/shell_dir" php runway make:controller "$PAYLOAD" On Windows PAYLOAD="..\..\..\..\Windows\Temp\pwn" php runway make:controller "$PAYLOAD"
Protection from this CVE:
- Upgrade to FlightPHP Runway 3.18.1 or later immediately
- Apply commit b8dd23a manually if patching not possible
- Restrict CLI command execution to trusted users only
- Use filesystem whitelisting: validate all path components against ^[A-Za-z0-9_/]+$
- Run CI/CD pipelines with least-privilege containers (read-only root, no /tmp write)
- Monitor for unexpected directory creation using auditd: `auditctl -w / -p wa -k mkdir_traversal`
Impact:
- Local attacker can create arbitrary directories outside project root
- Enables log-file planting for LFI chaining (e.g., creating /tmp/../var/log/attack.php)
- On shared hosting or CI agents, may write to sensitive locations (e.g., /etc/cron.d/)
- Precedes other vulnerabilities: combined with template inclusion leads to RCE
- Windows systems: directory creation in Program Files, Windows\System32 (if writeable)
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
