Listen to this Post
How the mentioned CVE works (approx. 20 lines):
Go’s `net/http` decodes `%2F` to `/` in `r.URL.Path` but keeps the encoded form in r.URL.RawPath. In s3-proxy, the auth middleware uses `r.URL.RequestURI()` (encoded path), while the bucket handler uses `r.URL.Path` (decoded path). This mismatch allows an attacker to inject `%2F` into a URL. For example, with a config that protects `/upload//restricted/` and leaves `/upload//drafts/` open, a PUT request to `/upload/foo%2Frestricted/drafts/` is seen by auth as a single segment `foo%2Frestricted` matching the open wildcard (because without a separator matches any character including /). Auth approves the request. The bucket handler, however, decodes the path to /upload/foo/restricted/drafts/, writing the object into the protected `restricted` namespace without any credentials. This bypasses authentication and works for any HTTP method (GET, DELETE, etc.). The root cause is the inconsistent handling of percent-encoded reserved characters across two different path representations. A proof-of-concept integration test (TestPercentEncodedSlashBypass) sends a multipart PUT without credentials and expects 401 but gets 204 – the file is written successfully. Fixes include matching auth against decoded path (RFC non‑compliant) or using raw path in both layers (RFC compliant, requires additional dot‑segment handling). The vulnerability affects any deployment using path‑based wildcard patterns.
dailycve form:
Platform: s3-proxy
Version: before fix
Vulnerability: Auth bypass
Severity: Critical
date: 2025-03-15 (estimated disclosure)
Prediction: Patch 2025-04-01
What Undercode Say:
Analytics – bash commands to test:
Send PUT with %2F to bypass auth curl -X PUT "http://s3-proxy.local/upload/foo%2Frestricted/drafts/test.txt" --data-binary @file.txt Check if object landed in protected namespace (requires S3 access) aws s3api head-object --bucket test-bucket --key upload/foo/restricted/drafts/test.txt
Exploit:
Attacker crafts URL with `%2F` between path segments: /open/foo%2Fprotected/secret. Auth matches open wildcard; handler writes to protected prefix. No credentials needed.
Protection from this CVE:
- Apply fix: pass `’/’` as separator to `glob.Compile` (Issue 1) AND use raw path (
r.URL.EscapedPath()) in both auth and key construction (Issue 2 Option B). - Add `cleanPathMiddleware` to resolve dot segments.
- Upgrade s3-proxy to patched version.
Impact:
Unauthenticated read/write/delete of any object in protected S3 namespaces. Full compromise of path‑based access control. Attacker can exfiltrate or destroy data without logging in.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
