aiohttp Directory Traversal Vulnerability
漏洞信息
漏洞名称: aiohttp Directory Traversal Vulnerability
漏洞编号:
- CVE: CVE-2024-23334
漏洞类型: 目录遍历
漏洞等级: 高危
漏洞描述: aiohttp是一个为asyncio和Python设计的异步HTTP客户端/服务器框架。当使用aiohttp作为Web服务器并配置静态路由时,需要指定静态文件的根路径。此外,可以使用’follow_symlinks’选项来决定是否跟随静态根目录之外的符号链接。当’follow_symlinks’设置为True时,没有验证检查读取的文件是否在根目录内。这可能导致目录遍历漏洞,即使没有符号链接,也能导致未经授权访问系统上的任意文件。受影响的版本包括3.9.1及更早版本。
漏洞解释:此漏洞属于目录遍历类型,技术根源在于aiohttp在处理静态文件请求时,未能正确验证请求路径是否位于配置的静态文件根目录内,特别是当’follow_symlinks’选项启用时。这允许攻击者通过构造恶意路径,绕过目录限制,访问服务器上的敏感文件。
影响分析:此漏洞的安全风险较高,攻击者可以利用此漏洞读取服务器上的任意文件,包括敏感的系统文件如/etc/passwd,可能导致信息泄露。漏洞利用无需认证,可以远程执行,且可以自动化利用,对部署了受影响版本aiohttp的服务构成严重威胁。
产品厂商: aiohttp
产品名称: aiohttp
影响版本: version <= 3.9.1
类型: vulhub/vulhub:github issues
来源概述
aiohttp Directory Traversal Vulnerability (CVE-2024-23334)
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory.When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. The affected versions include 3.9.1 and earlier.
References:
Environment Setup
Execute the following command to start a aiohttp server v3.9.1:
1 | |
After the server starts, the web page can be accessed by visiting http://your-ip:8080/ in a browser.
Vulnerability Reproduction
This vulnerability can be exploited by crafting a malicious path to access arbitrary files on the server.
For example, to view the system file /etc/passwd, send the following request:
1 | |
If successful, you will see the contents of /etc/passwd. which proves that the vulnerability exists.