aiohttp Directory Traversal Vulnerability
漏洞信息
漏洞名称: aiohttp Directory Traversal Vulnerability
漏洞编号:
- CVE: CVE-2024-23334
漏洞类型: 目录遍历
漏洞等级: 高危
漏洞描述: aiohttp是一个为asyncio和Python设计的异步HTTP客户端/服务器框架。作为一款广泛使用的网络服务组件,aiohttp在构建高性能Web应用和服务时非常受欢迎,尤其是在需要处理大量并发连接的场景中。
该漏洞属于目录遍历类型,其技术根源在于当aiohttp作为Web服务器配置静态路由时,如果设置了’follow_symlinks’为True,系统不会验证读取的文件是否位于静态根目录内。这种缺乏验证的设计使得攻击者可以通过构造恶意路径,绕过目录限制,访问服务器上的任意文件,即使没有符号链接存在。这种漏洞的存在,直接威胁到了服务器上敏感数据的安全。
从影响分析来看,此漏洞允许攻击者无需任何认证即可远程读取服务器上的任意文件,包括但不限于系统配置文件、用户数据等敏感信息。这种漏洞的利用可以自动化执行,且不需要复杂的攻击手段,因此对运行受影响版本aiohttp的服务构成了严重的安全威胁。攻击者利用此漏洞可能导致数据泄露、服务配置被篡改等严重后果,进而可能引发更广泛的安全事件。
产品厂商: aiohttp
产品名称: aiohttp
影响版本: version <= 3.9.1
类型: vulhub/vulhub:github issues
来源概述
aiohttp Directory Traversal Vulnerability (CVE-2024-23334)
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory.When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. The affected versions include 3.9.1 and earlier.
References:
Environment Setup
Execute the following command to start a aiohttp server v3.9.1:
1 | |
After the server starts, the web page can be accessed by visiting http://your-ip:8080/ in a browser.
Vulnerability Reproduction
This vulnerability can be exploited by crafting a malicious path to access arbitrary files on the server.
For example, to view the system file /etc/passwd, send the following request:
1 | |
If successful, you will see the contents of /etc/passwd. which proves that the vulnerability exists.