A path traversal in CivetWeb leads to remote code execution when an attacker uploads a maliciously-named file
CivetWeb [1,8,1.14], fixed in 1.15
CivetWeb is a very popular embeddable web server/library that can either be used standalone or by adding web server functionality to an existing application. CivetWeb prioritizes simplicity, customizability and performance. It can also be used by end users as a stand-alone web server running on a Windows or Linux PC.
A path traversal issue was discovered, when accepting unsanitized filenames as part of a file upload operation.
This issue only impacts CivetWeb-based web applications that use the built-in file upload form handler. In technical terms, a CivetWeb-based web application is vulnerable if:
- The application handles HTTP form data by calling CivetWeb’s
mg_handle_form_request
and supplies the (mandatory) user-definedfield_found
callback function - The
field_found
callback function returnsMG_FORM_FIELD_STORAGE_STORE
to indicate a file upload operation - The
field_found
callback function supplies the (mandatory)path
output argument, where the path relies on thefilename
input argument (which comes directly from the HTTP form data)
Note that this scenario is the standard way of using CivetWeb’s file upload functionality, and is supplied as a full working example in the embedded_c example in the CivetWeb sources.
No PoC is supplied for this issue
Use a WAF to filter HTTP form file upload requests that contain the string ..
in the filename
form parameter