uWSGI Directory Traversal

uWSGI versions prior to 2.0.17 suffer from a directory traversal vulnerability.

MD5 | b9abb246f21662b12371d11bb8e5a519

# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application

The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.

The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".

A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").

This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.

The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).

; jail our php environment to project_dir
php-docroot = %(project_dir)

During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.

uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/

An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:


We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:

[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path

However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.

After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).

Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.

uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/

After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.

An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.

It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html


26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed

Related Posts