A path traversal in CivetWeb leads to remote code execution when an attacker uploads a maliciously-named file
CivetWeb [1,8,1.14], fixed in 1.15
CivetWeb is a very popular embeddable web server/library that can either be used standalone or by adding web server functionality to an existing application. CivetWeb prioritizes simplicity, customizability and performance. It can also be used by end users as a stand-alone web server running on a Windows or Linux PC.
A path traversal issue was discovered, when accepting unsanitized filenames as part of a file upload operation.
This issue only impacts CivetWeb-based web applications that use the built-in file upload form handler. In technical terms, a CivetWeb-based web application is vulnerable if:
- The application handles HTTP form data by calling CivetWeb’s
mg_handle_form_requestand supplies the (mandatory) user-definedfield_foundcallback function - The
field_foundcallback function returnsMG_FORM_FIELD_STORAGE_STOREto indicate a file upload operation - The
field_foundcallback function supplies the (mandatory)pathoutput argument, where the path relies on thefilenameinput argument (which comes directly from the HTTP form data)
Note that this scenario is the standard way of using CivetWeb’s file upload functionality, and is supplied as a full working example in the embedded_c example in the CivetWeb sources.
No PoC is supplied for this issue
Use a WAF to filter HTTP form file upload requests that contain the string .. in the filename form parameter