Hap-wi/roxy-wi is a popular web interface that enables the management of Haproxy, Nginx, Apache, and Keepalived servers. In this report, we will discuss a critical Path Traversal vulnerability (CVE-2023-29004) that has been identified in the current version of Roxy-WI (6.3.9.). This security issue could allow an attacker with user-level privileges to access the content of arbitrary files on the file server, which may lead to severe consequences. We will provide a comprehensive analysis of this bug, including the code snippet where the vulnerability lies, the original references, and the exploit details.

Vulnerability Details

The vulnerability CVE-2023-29004 exists in the "get_config" function of the "/app/modules/config/config.py" file. This function reads and returns the contents of the configured file passed as the "config_file_name" parameter in an HTTP request to "/app/options.py". However, the function only checks for relative path traversal, leaving it vulnerable to absolute path traversal attacks.

Here's the code snippet from the "get_config" function in "/app/modules/config/config.py"

def get_config(config_file_name):
    if ".." in config_file_name:
        return False
    with open(config_file_name) as conf_file:
        return conf_file.read()

As seen in the above code, the only check performed is for the presence of ".." in the file path, which indicates a relative path traversal attempt. However, this check does not account for absolute path traversal attempts.

Exploit Details

To exploit this vulnerability, an attacker with user-level privileges could send an HTTP request to "/app/options.py" with an absolute file path in the "config_file_name" parameter. Given that the server process has access to the contents of the targeted file, the attacker could read and obtain its data.

For example, to retrieve the contents of the "/etc/passwd" file, the attacker would send a request similar to the following:

GET /app/options.py?config_file_name=/etc/passwd

Upon successful exploitation, the attacker would have access to the contents of "/etc/passwd", potentially leading to sensitive information disclosure or further attacks on the system.

Original References

1. Roxy-WI Application: https://roxy-wi.com
2. Roxy-WI's Source Code Repository: https://github.com/haproxy-wi/haproxy-wi
3. CVE-2023-29004 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29004

Mitigation

As of now, there hasn't been an official patch released by the Roxy-WI team to fix this vulnerability. However, users can employ the following workaround to temporarily mitigate this issue:

1. Edit the "/app/modules/config/config.py" file and modify the "get_config" function to check for both relative and absolute path traversal:

`

2. After applying the changes, restart the Roxy-WI service to ensure that the updated code takes effect.

Conclusion

In conclusion, the CVE-2023-29004 Path Traversal vulnerability in the hap-wi/roxy-wi web interface poses a considerable risk to system security. It is crucial for users to be aware of this vulnerability and apply the suggested workaround until an official patch is released. The Roxy-WI development team should address this issue promptly to ensure their users' environments remain secure.

Timeline

Published on: 04/17/2023 19:15:00 UTC
Last modified on: 04/26/2023 19:34:00 UTC