aiohttp Directory Traversal Vulnerability
漏洞信息
漏洞名称: aiohttp Directory Traversal Vulnerability
漏洞编号:
- CVE: CVE-2024-23334
漏洞类型: 目录遍历
漏洞等级: 高危
漏洞描述: aiohttp是一个为asyncio和Python设计的异步HTTP客户端/服务器框架。当使用aiohttp作为Web服务器并配置静态路由时,需要指定静态文件的根路径。此外,可以使用’follow_symlinks’选项来决定是否跟随静态根目录之外的符号链接。当’follow_symlinks’设置为True时,没有验证检查读取的文件是否在根目录内。这可能导致目录遍历漏洞,导致未经授权访问系统上的任意文件,即使符号链接不存在。受影响的版本包括3.9.1及更早版本。
漏洞解释:此漏洞属于目录遍历类型,其技术根源在于aiohttp在处理静态文件请求时,未能正确验证请求的路径是否位于配置的静态文件根目录内。特别是当’follow_symlinks’选项启用时,攻击者可以构造恶意的路径,绕过目录限制,访问服务器上的任意文件。
影响分析:此漏洞的安全风险较高,攻击者可以利用此漏洞远程读取服务器上的敏感文件,如/etc/passwd,可能导致信息泄露。由于漏洞利用不需要认证,且可以自动化执行,因此对部署了受影响版本aiohttp的服务构成了严重威胁。
产品厂商: aiohttp
产品名称: aiohttp
影响版本: <= 3.9.1
类型: vulhub/vulhub:github issues
来源概述
aiohttp Directory Traversal Vulnerability (CVE-2024-23334)
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory.When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. The affected versions include 3.9.1 and earlier.
References:
Environment Setup
Execute the following command to start a aiohttp server v3.9.1:
1 | |
After the server starts, the web page can be accessed by visiting http://your-ip:8080/ in a browser.
Vulnerability Reproduction
This vulnerability can be exploited by crafting a malicious path to access arbitrary files on the server.
For example, to view the system file /etc/passwd, send the following request:
1 | |
If successful, you will see the contents of /etc/passwd. which proves that the vulnerability exists.