Path Traversal – Reading Certain File Extensions in bigbluebutton/bigbluebutton
Oct 26th 2022
BigBlueButton 2.5.6 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png).
1- Submit a request to /bigbluebutton/presentation/<conference>/<room>/<presentation name>/textfiles/<id>
2- A valid path needs to be present on the server to traverse from.
3- utilize a double encoded forward slash "/" to traverse (%252f)
Check the below screenshot for more details.
- Fix: Do input validation on the parameters being passed and strip dangerous characters.
Reading files with certain extensions that the client has no access to by default.