top of page


Public·17 members
Ryan Gomez
Ryan Gomez

Shopping For An Admin Account Via Path Traversal UPDATED

The above line of code is the place where the Client::GitlabApp is used to update a subscription on; this call occurs when a customer moves the subscription from one namespace to another. The parameter @namespace_id is user controlled but the payload of the PUT operation (body: @attrs.to_json) is not. The API_TOKEN is an access token to's API with admin privileges. The threat which arises from the call to Client::GitlabApp.put is the possibility to traverse the path on's API by supplying a @namespace_id of ../other/path and thus being able to reach other API endpoints than the intended /api/v4/namespace/.

Shopping for an admin account via path traversal


This type of attack, namely a path (or directory) traversal attack, is a very common and generic issue. It can occur basically everywhere that path parameters are being plunged together (e.g. file systems access or unpacking of archive files).

The API endpoint on is implemented using Grape which implements parameter handling in a way that any PUT/POST parameters will be merged with the path-based GET parameters into the params hash. This means that besides the body: @attrs.to_json payload in the PUT operation we could, using the unsanitized @namespace_id parameter, not only traverse API endpoints using ../ sequences, we could also inject attributes on the API endpoint by appending ?some_attribute=our_value to @namespace_id. So, in addition to the path traversal, we can also inject arbitrary arguments on the API endpoint. In combination the two steps can enable quite powerful attacks.

Taking the above building blocks of path traversal and attribute injection in a request using an admin token on the API, we have a quite powerful and universal attack at hand. While investigating and verifying the issue on GitLab's staging environment it could be used to promote regular accounts to admin. The actual payload is quite simple: ../users/?admin=true it resulted in a PUT request to =true.

The issue was mitigated promptly by the fulfillment backend team. The application is now enforcing the @namespace_id parameter to be numerical. Also additional defense-in-depth measures have been taken to avoid path traversals and similar attacks.

We've seen here a very good example of the typical pitfalls in modern applications which make use of backend services via API calls. The path traversal in combination with the ability to inject further attributes in the API call allowed us to cause severe impact. The issue, even though present in the code base, could be used to elevate user privileges on

As you are dealing with a relative path, you can try if pathtraversal works, so you could get to the root of the web server e.g.via :3000/#/deluxe-membership?testDecal=..%2F..%2F..%2Ftest.This will indeed result in the image actually being requested as :3000/test!

Combining that redirect exploit with the forgotten testDecal andits susceptibility to path traversal will allow you to craft a URLlike :3000/#/deluxe-membership? the most difficult part is to get the URL encoding just rightto bypass the redirect allowlist and still get the intended imagereturned cross-domain.

While doing some research I identified a number of vulnerabilities in CubeCart version 6.1.5, the latest version available as of the writing of this article. In this article, I will explain what these web application vulnerabilities are and how attackers can exploit them to hijack the accounts of both customers and the shopping cart admin to gain administrative access to the online ecommerce solution.

HASH corresponds to the hash previously explained and ID is the user id of the administrator that the logged in administrator wishes to delete. This functionality is vulnerable to CSRF attacks since there is no token value sent along with the request to verify that it was triggered by the logged in administrator. Therefore the attacker can delete all administrator accounts by writing a simple JS code that iterates over a range of values to substitute the admin_id value.

Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin", which may also be useful in accessing unexpected files. This is referred to as absolute path traversal.

The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.

Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.

Directory traversal vulnerabilities are simply loopholes in an application that allows unauthorized users to access files outside a restricted directory structure. Traversal loopholes are among the most common problems found with any protocol that maps user requests to local file paths. It has been the cause of numerous Microsoft security vulnerabilities. These loopholes can easily be exploited to launch directory traversal attacks.

If the result of maildirRoot.getCanonicalPath() is not slash terminated it allows for partial path traversal.Consider "/var/store/maildir/domain/admin".startsWith("/var/store/maildir/domain/adm"). The check is bypassed although it is not the adm directory.The terminating slash may be removed in various places. On Linux println(new File("/var/")) returns /var, but println(new File("/var", "/")) - /var/, however println(new File("/var", "/").getCanonicalPath()) - /var.

A path traversal vulnerability has been identified in the Glype web-based proxy that allows an attacker to run arbitrary PHP code on the server or to remove critical files from the filesystem. This only affects servers that are configured to:

PHP takes this session ID from a cookie, so the value returned by session_id() is under control of the user. By using path traversal a user can overwrite or create any file on the server with the rights of the webserver's system user.

However, the actual impact of these bugs is quite limited because the authentication system guarantees that the vulnerable code paths can only be reached by admin or limited-admin users. In short, they are almost useless ?

The curious thing is that this path traversal has been fixed in version 5.20 of the firmware which was released months ago, however in the release notes there is no mention of it. The new code is as follows:

To prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as %2e, the logic fails to recognize %2e as dot thereby not decoding it, this converts the characters ../ to .%2e/ and bypasses the check.

While CVE-2021-41773 was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when mod_cgi module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests.

CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.

Drupal uses the Twig third-party library for content templating and sanitization. Twig is vulnerable to path traversal. When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

An authentication bypass vulnerability using an alternate path or channel exists in FortiOS which may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Affected versions of Grafana is vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance.

There is no simple way to do this manually in Joomla as opposed to WordPress where it may be possible to iterate through the users using a simple bash one-liner.With Joomla, it requires guesswork. All new installs have a 'Super Administrator account' called admin. As part of the install, Joomla requests a password for this account. Joomla also suggests changing the name of the account from 'admin' to something more difficult to guess.

An example of this type of tool is phpmyadmin running on the web server. A weak database password or vulnerable version of phpmyadmin would lead to compromise of the database and possibly even code execution.Discovery of the phpmyadmin installation would usually involve a content discovery scan that would include common paths for phpmyadmin in the content discovery scanner list.


Welcome to the group! You can connect with other members, ge...


  • Paul Mooney
  • Sheena Owens
    Sheena Owens
  • Mark
  • Alex Brod
    Alex Brod
  • Lokawra Shiopa
    Lokawra Shiopa
bottom of page