Listen to this Post
The vulnerability exists due to insufficient path traversal protection in the UI config module. The security check validates a user-supplied path against the allowed base directory (/etc/opencast/ui-config) but does so by checking if the requested path starts with the base path string. This check fails to account for the operating system’s file separator, allowing an attacker to access files in a sibling directory whose name begins with the same characters as the base directory. For instance, if the base directory is /etc/opencast/ui-config, a malicious request for `/etc/opencast/ui-config-hidden/secret.file` would pass the validation check because the string “/etc/opencast/ui-config-hidden” starts with “/etc/opencast/ui-config”. The application then concatenates this validated path, leading to the unauthorized file being read, provided the Opencast process has read permissions for it. General path traversal (e.g., ../../) is not possible.
Platform: Opencast
Version: <17.7, <18.1
Vulnerability : Path Traversal
Severity: Low
date: 2024
Prediction: 2024-11-01
What Undercode Say:
`curl -s “http://target/static/ui-config/../ui-config-hidden/file.properties”`
`if [[ $requested_path == $base_path ]]; then Vulnerable check`
`String safePath = basePath + File.separator + userInput; // Incorrect`
How Exploit:
Craft URL accessing sibling directory.
Protection from this CVE
Update to version 17.7, 18.1, or apply patch opencast/opencast6979.
Impact:
Limited unauthorized file read.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
