CVE-2021-21234 PoC — Directory Traversal

Source

https://github.com/xiaojiangxl/CVE-2021-21234

Associated Vulnerability

Title:Directory Traversal (CVE-2021-21234)
Description:spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy.

Readme

# CVE-2021-21234

**CVE-2021-21234 Spring Boot 目录遍历**

  spring-boot-actuator-logview 在一个库中添加了一个简单的日志文件查看器作为 spring boot 执行器端点。它是 maven 包“eu.hinsch:spring-boot-actuator-logview”。在 0.2.13 版本之前的 spring-boot-actuator-logview 中存在目录遍历漏洞。该库的本质是通过 admin（spring boot 执行器）HTTP 端点公开日志文件目录。要查看的文件名和基本文件夹（相对于日志文件夹根）都可以通过请求参数指定。虽然检查了文件名参数以防止目录遍历攻击（因此`filename=../somefile` 将不起作用），但没有充分检查基本文件夹参数，因此`filename=somefile&base=../` 可以访问日志记录基目录之外的文件）。该漏洞已在 0.2.13 版中修补。0.2.12 的任何用户都应该能够毫无问题地进行更新，因为该版本中没有其他更改。除了更新或删除依赖项之外，没有解决此漏洞的方法。但是，删除运行应用程序的用户对运行应用程序不需要的任何目录的读取访问权限可以限制影响。此外，可以通过在反向代理后面部署应用程序来限制对 logview 端点的访问。
  
## 漏洞代码位置：



`eu.hinsch.spring.boot.actuator.logview.LogViewEndpoint#view`

 view函数对filename参数进行合法性校验，但是没有对base参数进行合法性校验。
 
 
GET path:

      - "{{BaseURL}}/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../" # Windows
      
      - "{{BaseURL}}/log/view?filename=/windows/win.ini&base=../../../../../../../../../../" # windows
      
      - "{{BaseURL}}/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../" # linux
      
      - "{{BaseURL}}/log/view?filename=/etc/passwd&base=../../../../../../../../../../" # linux

File Snapshot


 [4.0K]  /data/pocs/d921581c7da9ec81d72cbfec0fada9d0a6e33707
├── [ 220]  poc.py
├── [1.8K]  README.md
├── [ 294]  uri.txt
└── [ 534]  批量.py

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!