aiohttp Directory Traversal Vulnerability
漏洞信息
漏洞名称: aiohttp Directory Traversal Vulnerability
漏洞编号:
- CVE: CVE-2024-23334
漏洞类型: 目录遍历
漏洞等级: 高危
漏洞描述: aiohttp是一个为asyncio和Python设计的异步HTTP客户端/服务器框架。当使用aiohttp作为Web服务器并配置静态路由时,需要指定静态文件的根路径。此外,可以使用’follow_symlinks’选项来决定是否跟随静态根目录之外的符号链接。当’follow_symlinks’设置为True时,没有验证检查读取的文件是否在根目录内。这可能导致目录遍历漏洞,即使不存在符号链接,也可能导致未经授权访问系统上的任意文件。受影响的版本包括3.9.1及更早版本。
漏洞技术根源在于aiohttp在处理静态文件请求时,未能充分验证请求路径的安全性,特别是在’follow_symlinks’选项启用时,缺乏对路径的严格限制,使得攻击者可以通过构造恶意路径绕过安全限制,访问服务器上的敏感文件。
此漏洞的安全风险较高,攻击者可以利用此漏洞读取服务器上的任意文件,包括但不限于系统配置文件、用户数据等敏感信息,可能导致信息泄露,进一步可能被用于其他攻击。漏洞利用无需认证,可以远程自动化执行,对系统安全构成严重威胁。
产品厂商: aiohttp
产品名称: aiohttp
影响版本: version <= 3.9.1
类型: vulhub/vulhub:github issues
来源概述
aiohttp Directory Traversal Vulnerability (CVE-2024-23334)
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory.When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. The affected versions include 3.9.1 and earlier.
References:
Environment Setup
Execute the following command to start a aiohttp server v3.9.1:
1 | |
After the server starts, the web page can be accessed by visiting http://your-ip:8080/ in a browser.
Vulnerability Reproduction
This vulnerability can be exploited by crafting a malicious path to access arbitrary files on the server.
For example, to view the system file /etc/passwd, send the following request:
1 | |
If successful, you will see the contents of /etc/passwd. which proves that the vulnerability exists.