💾 Archived View for alexey.shpakovsky.ru › gemlog › disabling-path-traversal.gmi captured on 2023-09-08 at 15:50:46. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

-=-=-=-=-=-=-

Disabling path traversal vulnerability

Originally posted: 2022-02-05 ~ Last updated: 2022-02-12

In recent two days, two gemini servers fixed path traversal vulnerabilities.

First, thanks to Acidus for responsibly disclosing, and int80h for promptly fixing the issue in gemserv:

pre-disclosure announcement

Disclosure announcement

gemserv git repository

gemserv on Docker hub

Second, the JAGS-PHP developer Matthias Weiß fixed an issue (pointed out by Tyler Spivey) in the JAGS-PHP server:

Announcement

JAGS-PHP github repo

Is it a weekend of fixing path traversal vulnerabilities in gemini clients? Naturally I decided to support this trend and fix the well-known path traversal vulnerability in my simple bash gemini server. So now when it detects a path traversal attempt - it prints its own source code, instead! :D

Update

That was a fun joke, but two days later I removed in and uploaded the code to github. Please refer to the original article on how and where to get the code:

Original article announcing the Gemini server written in bash.

End of update

Please feel free everyone to check if you can find any vulnerabilities there!

Also I've added titan support and "donate" ;) button (link, actually) and titan protocol, so now I can edit posts in the same application as where I read them! It's a subject for future posts, but if you manage to find a vulnerability there (or figure out my titan password) - please do let me know!