💾 Archived View for gemi.dev › gemlog › 2022-02-15-psa-gemserv-0.6.5.gmi captured on 2022-03-01 at 15:00:45. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
2022-02-15 | #security
Déjà vu time. If you use gemserv, please update to version 0.6.5 immediately.
https://git.sr.ht/~int80h/gemserv
~int80h has patched another, different directory transversal security bug in gemserv This is awesome that people are looking more into fixing their own servers, and this makes 2 different critical security holes that were patched in less than 2 weeks, which is amazing work! 👏👏👏
Unfortunately, it also means that anyone who upgrade to 0.6.4 in the last week or so needs to do it again, and upgrade to 0.6.5. Currently there are ~48 capsules running a vulnerable version of gemserv (anything before 0.6.5)
All version of gemserv before 0.6.5 are vulnerable to multiple variations of a serious security flaw called a directory transversal vulnerability. These allow attackers to trick gemserv into reading and returning files or directories on the server outside of the root of the capsule, like this:
Accessing private files in a pubnix user's home directory
You can learn more about directory transversal attacks here:
Robust Defence Against Directory Transversal attacks
In my "Robust Defence Against Directory Transversal attacks" post, I said this:
Behold the 75 CVE entries for directory transversal attacks against Apache or its components in the last 20 years. So yeah. Protecting against directory transversal is surprisingly more difficult than you would think.
I'm not trying to put int80 on the spot. They did an awesome job. But them needing to issue a 2nd update a few days later to defend against another attack variant should reenforce that quote above. Directory transversal vulnerabilities **ARE** surprisingly hard to fix, and to fix in a way you know will be secure going forward.
