Listen to this Post
The vulnerability exists in the `is_safe_path` function, which uses `os.path.commonprefix` for path verification. This function performs a simple string comparison rather than analyzing path components. For a safe root of `/home/mobsf/.MobSF/downloads` and a user-supplied absolute path like /home/mobsf/.MobSF/downloads_bak/test.txt, the function incorrectly returns True because the string prefix matches. The download handler constructs a path using Path(root) / filename. If the filename is an absolute path (beginning with /), the `root` part is effectively ignored, and the entire path resolves to the user-supplied absolute value. The flawed `is_safe_path` check then validates this malicious path, allowing file retrieval from any sibling directory whose absolute path string starts with the same characters as the safe root directory.
Platform: MobSF
Version: < v3.8.3
Vulnerability : Path Traversal
Severity: Critical
date: 2024-03-28
Prediction: Patch Expected 2024-04-11
What Undercode Say:
Check for vulnerable function grep -n "commonprefix" MobSF/views/home.py Simulate the flawed check python3 -c "import os; print(os.path.commonprefix(['/home/mobsf/.MobSF/downloads_bak/test', '/home/mobsf/.MobSF/downloads']))" Create a test sibling directory for PoC mkdir -p /home/mobsf/.MobSF/downloads_bak && echo "test_data" > /home/mobsf/.MobSF/downloads_bak/test.txt
How Exploit:
GET /download///home/mobsf/.MobSF/downloads_bak/test.txt HTTP/1.1 Host: 192.168.1.100:8000 Cookie: sessionid=<valid_session_cookie>
Protection from this CVE
Replace `os.path.commonprefix` with `os.path.commonpath` or validate that the normalized user-input path starts with the normalized safe root directory.
Impact:
Authenticated user can read arbitrary files with allowed extensions from directories sharing the same path prefix, leading to sensitive data exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
