Exploit Title: uWSGI PHP Plugin Directory Traversal
Exploit Author: Marios Nicolaides
Reviewers: Simon Loizides and Nicolas Markitanis
Vendor Homepage: uWSGI Project
Affected: uWSGI PHP Plugin before 2.0.17
Tested on: uWSGI 2.0.12 and 2.0.15
Category: Web Application
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the php-allowed-docroot option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via php-docroot.
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences (“..%2f”).
This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.
The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (uWSGI PHP Plugin).
; jail our php environment to project_dir
php-docroot = %(project_dir)
During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the php-docroot option to enforce the DOCUMENT_ROOT of the web application.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/
An attacker could exploit this vulnerability by using path traversal sequences (“..%2f”) to access sensitive information as demonstrated below:
We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:
[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path
However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.
After searching the web for possible solutions, we noticed that the php-allowed-docroot option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available ([uWSGI] Improvements in the php plugin).
Upon further testing, we observed that when the php-allowed-docroot was used instead of the php-docroot option, it was not affected by Directory Traversal attacks.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/
After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the php-docroot option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.
It is recommended to update to uWSGI 2.0.17 - uWSGI 2.0.17
26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed