http://parse.com directory traversal vulnerability |
Little Insight:
http://parse.com was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That
Well this is my 4th reward form facebook Directory Traversal or RCE Vulnerability
That give me 5th position in Facebook white-hat Page
Report Date :23 July 2014
Reward For Directory Traversal or RCE Vulnerability :
How This work......?
As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths.
'%5C'
turns into '\'
after decoding. Using Rack::Protection it only rejects '/../'
segments in the request path. patch apply for Rack::Protection acording CVE-2014-0130 and also Reject now
'%5C'
turns into '\'
after decodingnow my work ....
My Finding....
In the above summary ( CVE-2014-0130 ) it rejects
'/../'
segments in the request path and path is also sanitized to filter out
malicious characters like "..%5c", now m try to bypass filter with " \../ or \..%2f " segments in the request path more details i am disclose in next post ruby on rails Rack::Protection bypass effected on old version
patch version you can use 4.1.1, 4.0.5, 3.2.18
Now
coming
back to Parse.com Facebook Acquisitions here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the http://parse.com server
More Then 5 pages Vulnerable on parse.com with same vector
one of them
Poc Url : https://parse.com/about/\..%2f\..%2f\..%2fGemfile
After some time
i am found how to convert ruby on rails LfI in remote code execution or Shell
Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make possible to make Rce on parse.com
POC URL : https://parse.com/about/\..%2f\..%2f\..%2fproduction .log?codetoexec=?
More about :
The vulnerability mentioned here has been confirmed & fixed by Facebook Team.
Well this is my 4th reward form facebook Directory Traversal or RCE Vulnerability
That give me 5th position in Facebook white-hat
you can also meet me