Back to Posts

uWSGI PHP plugin Directory Traversal

Posted in Advisories

Exploit Title: uWSGI PHP Plugin Directory Traversal
Date: 01-03-2018
Exploit Author: Marios Nicolaides
Reviewers: Simon Loizides and Nicolas Markitanis
Vendor Homepage: uWSGI Project
Affected: uWSGI PHP Plugin before 2.0.17
Tested on: uWSGI 2.0.12 and 2.0.15
CVE-ID: CVE-2018-7490
Category: Web Application


OVERVIEW

The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the php-allowed-docroot option.

The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via php-docroot.

A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences (“..%2f”).

This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.


DETAILS

The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (uWSGI PHP Plugin).

; jail our php environment to project_dir
php-docroot = %(project_dir)

During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the php-docroot option to enforce the DOCUMENT_ROOT of the web application.

uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/

An attacker could exploit this vulnerability by using path traversal sequences (“..%2f”) to access sensitive information as demonstrated below:

http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:

[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path

However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.

After searching the web for possible solutions, we noticed that the php-allowed-docroot option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available ([uWSGI] Improvements in the php plugin).

Upon further testing, we observed that when the php-allowed-docroot was used instead of the php-docroot option, it was not affected by Directory Traversal attacks.

uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/

After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the php-docroot option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.


IMPACT

An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.


MITIGATION

It is recommended to update to uWSGI 2.0.17 - uWSGI 2.0.17


REFERENCES


TIMELINE

26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed

Read Next

Parallels Remote Application Server (RAS) 15.5 Path Traversal