Listen to this Post
How the mentioned CVE works:
The vulnerability exists within the `StaticHandler` component of Vert.x Web when configured with setIncludeHidden(false). This configuration is intended to prevent the serving of any files or directories deemed “hidden.” The security flaw is in the implementation’s logic for determining what constitutes a hidden resource. It only checks if the final path segment (the filename) begins with a dot (.). This logic fails to account for files residing within hidden directories. For instance, a file named `config.txt` inside a directory named `.secret` does not itself start with a dot. Therefore, when a request is made for /.secret/config.txt, the handler incorrectly determines that `config.txt` is not a hidden file and serves it, bypassing the access control. This allows attackers to access sensitive data stored in hidden directories like .git, .aws, or `.env` by directly requesting the files within them, leading to significant information disclosure.
DailyCVE Form:
Platform: Vert.x Web
Version: <=5.1.0-SNAPSHOT
Vulnerability: Information Disclosure
Severity: Critical
date: 2024-10-23
Prediction: 2024-11-13
What Undercode Say:
Create vulnerable directory structure mkdir -p webroot/.git webroot/.aws echo "secret_data" > webroot/.git/config echo "aws_key" > webroot/.aws/credentials Test server access curl http://localhost:8080/.git/config
// Vulnerable StaticHandler configuration
StaticHandler.create("webroot")
.setIncludeHidden(false) // Flawed protection
How Exploit:
Directly request files inside hidden directories. For example:
`http://target.com/.git/config`
`http://target.com/.env/production`
`http://target.com/.aws/credentials`
Protection from this CVE:
Upgrade Vert.x Web.
Avoid hidden directories.
Use web root isolation.
Impact:
Full source code reconstruction.
Credential leakage.
API key exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
