CVE-2021-40841 - Path Traversal

Created: 2021-12-07

Overview

During a security audit of a LiveConfig customer, Dr. Arne Kersting from mgm security partners GmbH discovered a path traversal vulnerability in LiveConfig.

Cause

LiveConfig has a Log File Viewer component for comfortable access to account-specific log files (e.g. access.log, priv/php_errors.log). The user can choose which log file he wants to view. Due to inadequate input validation it was possible for a user to request access to other files outside of the log base directory.

Risk

LiveConfig basically performs all tasks with the minimum required permissions. Also in this case, LiveConfig switches to the affected user account before opening the requested file. Thus, the path traversal issue “only” allows alternative access to files where the user nevertheless has read permissions (PHP, CGI, Cron scripts etc. may also read files at arbitrary locations). It is not possible to read files from other customers or generally to read files which are not world-readable.

For this reason, we consider the risk of this issue to be low to medium. In a worst-case scenario, a webspace user without any PHP/CGI/Cron permission might access readable files.

Acknowledgements

We want to thank Dr. Arne Kersting (mgm security partners GmbH) for the responsible disclosure of the detected security issue and for the friendly and open communication.

• reported: 2021-09-09 18:09 GMT+2
• fixed: 2021-09-09 21:29 GMT+2 (commit f69b62de)
• affected versions: up to v2.12.2
• fixed in: v2.12.3 / v2.13.0