💾 Archived View for gemi.dev › gemlog › 2022-06-30-check-your-project.gmi captured on 2023-09-08 at 16:22:25. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-03-20)

-=-=-=-=-=-=-

How I found, and what you can learn, from gemserv's Directory Transversal vulnerabilities

2022-06-30 | #security | @Acidus

Back in February, I found a Directory Transversal vulnerability in the popular gemini server gemserv, and posted about it here:

Public Service Announcement: Security vulnerability in gemini server software

A directory Transversal vulnerability allows an attacker to trick the server into reading and returning files or directories on the server outside of the root of the capsule, like this:

Accessing private files in a pubnix user's home directory

This isn't unique to gemini. Hackers have been finding Directory Transversal vulnerabilities in web servers for 25 years.

If you read my original post, your may notice that I said "stumbled on" the vulnerability. That's because I didn't discover this vulnerability by scanning random capsules and sending malformed requests looking for vulnerabilities. Instead I found it, published on one of gemserv's pages on sr.ht, for the entire world to see. And it had been there for over a month.

Discovery and Disclosure

On Jan 31 I was looking at the gemserv sr.ht page and I saw a security issue reported by Vukasin Vukovic on the mailing list on Dec 24th 2021. It was so small and short, I nearly overlooked it.

Someone posting about the bug

Subject: LFI Vulnerability. gemserv treats %2f as absolute /

Many reported security vulns are false positives and since no one had replied I assumed this was a non-issue. However, since I was looking to adopt gemserv for my own capsule, I downloaded the software and tested it for the vulnerability to be sure. Unfortunately I found that yes, it is a valid security issue! I could access any file on any capsule running gemserv.

I found no bug ticket for the issue. There was no indication at all that @int80 even knew about the problem. Confusing the issue was that Vukasin had called this an "LFI" or "Local File Include" vulnerability and when technically this was a directory transversal vulnerability.

Ultimately I tracked down @int80's contact info on their capsule, let them know about it, and they quickly resolved the issue.

Lesson to learn

If you are a developer who makes software available for other people to use there are several lessons you should learn from this:

Have a clear, published method to contact you about security issues

int80 had no contact info on their project page for gemserv. Nothing was said about how people should report bugs, let alone security issues. At the time, there was a mailing list for gemserv. This might have been something that sourcehut automatically creates for projects, or something int80 specifically set up, I'm not sure. Either way, the mailing list was the only obvious mechanism to contact the project owner, so that what Vukasin used to report the LFI vulnerability.

If your project has communication channels, check them!!!

Bluntly, it's negligent to have communication channels for your project, and not check them. int80 should have either:

Frankly, its outrageous that a security vulnerability had been reported for anyone to see, and it went unnoticed and for over a month until I found it.

Acknowledge and "close" security reports after you have fixed them

To this day, that LFI message is still sitting in the germserv mailing list, unanswered. New users may find that and wonder, is this legit? has this been fixed? When was it fixed?

Developers, if you get a security report, you need to reply to it. This helps people understand that it has been resolved. What you should say in your reply:

Post security notices on the project homepage

How do you let your users know they need to upgrade? Put something on the project page. It can be as simple as "Versions of foobar before 1.7 have known security issues. Please update to the latest version here." You need to inform your users they are at risk.

And not only announce it on the project homepage, consider announcing it on your blog or Antenna. For reasons I don't understand, int80 never posted to their gemlog about these security issues, or when a fix was available, nor talked about it via Antenna or Station.

Final Thoughts

Developers, please:

Directory Transversal vulnerability are surprisingly hard to fix. int80 "fixed" the problem, only to have to fix it again 2 weeks later because they didn't catch all the edge cases.

Annoucement to update gemserv, again.

You can learn more about directory transversal attacks, and how to fix them, here:

Robust Defence Against Directory Transversal attacks

If you want to make it easier for people to contact you about security issues, consider adding a security.txt file to your capsule.

Why you should add security.txt to your capsule