Summary
The Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal.
Details
PoC
Within the Thruk web monitoring application, when logging in with any user, there was an area where one could upload a file, so that it would be used as a background within the generated dashboards.
The following image shows the normal file upload flow, where it can be observed that the files were uploaded to the "backgrounds/" folder by default.
Initially, it was verified that there were no write permissions in this folder, as the error returned confirmed that the file upload had not been successful.
However, by manipulating the folder path to "backgrounds/../../../../tmp/", it was observed that the server returned a successful message, confirming the file upload.
This folder was chosen because it is present in every GNU Linux-based system and is normally modifiable by any user, thus demonstrating the vulnerability.
Impact
A threat actor, by exploiting this security flaw, could arbitrarily upload files to the server and manage to overwrite existing files on the server, thus affecting the integrity of the environment.
In the case of overwriting images or other resources of the application, they could deface the site.
Additionally, a threat actor could upload files in an automated manner until filling up the server's disk, which would cause unavailability in the system.
In many cases, this could extend to the point where a threat actor uploads a webshell and can execute arbitrary commands on the server.
###Countermeasure
Sanitize (validate) user inputs to prevent dangerous characters such as the dot (.) and slash (/).
shapas Reporter
Summary
The Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal.
Details
PoC
Within the Thruk web monitoring application, when logging in with any user, there was an area where one could upload a file, so that it would be used as a background within the generated dashboards.
The following image shows the normal file upload flow, where it can be observed that the files were uploaded to the "backgrounds/" folder by default.
Initially, it was verified that there were no write permissions in this folder, as the error returned confirmed that the file upload had not been successful.
However, by manipulating the folder path to "backgrounds/../../../../tmp/", it was observed that the server returned a successful message, confirming the file upload.
This folder was chosen because it is present in every GNU Linux-based system and is normally modifiable by any user, thus demonstrating the vulnerability.
Impact
A threat actor, by exploiting this security flaw, could arbitrarily upload files to the server and manage to overwrite existing files on the server, thus affecting the integrity of the environment.
In the case of overwriting images or other resources of the application, they could deface the site.
Additionally, a threat actor could upload files in an automated manner until filling up the server's disk, which would cause unavailability in the system.
In many cases, this could extend to the point where a threat actor uploads a webshell and can execute arbitrary commands on the server.
###Countermeasure
Sanitize (validate) user inputs to prevent dangerous characters such as the dot (.) and slash (/).