-- Leo's gemini proxy
-- Connecting to gemi.dev:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
2022-06-30 | #security | @Acidus
Back in February, I found a Directory Transversal vulnerability in the popular gemini server gemserv, and posted about it here:
A directory Transversal vulnerability allows an attacker to trick the server into reading and returning files or directories on the server outside of the root of the capsule, like this:
This isn't unique to gemini. Hackers have been finding Directory Transversal vulnerabilities in web servers for 25 years.
If you read my original post, your may notice that I said "stumbled on" the vulnerability. That's because I didn't discover this vulnerability by scanning random capsules and sending malformed requests looking for vulnerabilities. Instead I found it, published on one of gemserv's pages on sr.ht, for the entire world to see. And it had been there for over a month.
On Jan 31 I was looking at the gemserv sr.ht page and I saw a security issue reported by Vukasin Vukovic on the mailing list on Dec 24th 2021. It was so small and short, I nearly overlooked it.
> Subject: LFI Vulnerability. gemserv treats %2f as absolute /
Many reported security vulns are false positives and since no one had replied I assumed this was a non-issue. However, since I was looking to adopt gemserv for my own capsule, I downloaded the software and tested it for the vulnerability to be sure. Unfortunately I found that yes, it is a valid security issue! I could access any file on any capsule running gemserv.
I found no bug ticket for the issue. There was no indication at all that @int80 even knew about the problem. Confusing the issue was that Vukasin had called this an "LFI" or "Local File Include" vulnerability and when technically this was a directory transversal vulnerability.
Ultimately I tracked down @int80's contact info on their capsule, let them know about it, and they quickly resolved the issue.
If you are a developer who makes software available for other people to use there are several lessons you should learn from this:
int80 had no contact info on their project page for gemserv. Nothing was said about how people should report bugs, let alone security issues. At the time, there was a mailing list for gemserv. This might have been something that sourcehut automatically creates for projects, or something int80 specifically set up, I'm not sure. Either way, the mailing list was the only obvious mechanism to contact the project owner, so that what Vukasin used to report the LFI vulnerability.
Bluntly, it's negligent to have communication channels for your project, and not check them. int80 should have either:
1. been watching the mailing list
2. disabled the mailing list
3. if they couldn't disable it, they should have posted a note saying that the mailing list was not used, and provided instructions on how to communication security issues or bugs
Frankly, its outrageous that a security vulnerability had been reported for anyone to see, and it went unnoticed and for over a month until I found it.
To this day, that LFI message is still sitting in the germserv mailing list, unanswered. New users may find that and wonder, is this legit? has this been fixed? When was it fixed?
Developers, if you get a security report, you need to reply to it. This helps people understand that it has been resolved. What you should say in your reply:
Thank the reporter
Confirm what versions are vulnerability
Confirm that you have fixed the issue
List the version number where the security fix exists
How do you let your users know they need to upgrade? Put something on the project page. It can be as simple as "Versions of foobar before 1.7 have known security issues. Please update to the latest version here." You need to inform your users they are at risk.
And not only announce it on the project homepage, consider announcing it on your blog or Antenna. For reasons I don't understand, int80 never posted to their gemlog about these security issues, or when a fix was available, nor talked about it via Antenna or Station.
Developers, please:
Make it easy and obvious how to communicate with you.
Check those channels.
Notify your users when they need to update to protect themselves and their data.
Directory Transversal vulnerability are surprisingly hard to fix. int80 "fixed" the problem, only to have to fix it again 2 weeks later because they didn't catch all the edge cases.
You can learn more about directory transversal attacks, and how to fix them, here:
If you want to make it easier for people to contact you about security issues, consider adding a security.txt file to your capsule.
-- Response ended
-- Page fetched on Tue May 21 10:22:43 2024
