Directory Traversal

Module: geddy

Published: July 27th, 2015

Reported by: Vikram Chaitanya

CVE-2015-5688

CWE-

Vulnerable: <13.0.8
Patched: >=13.0.8

Overview

Geddy static file serving allows directory traversal with a URI encoded path.

Example

http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

geddy is serving the output as it doesn't match the routes and it's a static file

Remediation

Update to version >= 13.0.8

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo