Path Traversal – Reading Certain File Extensions in bigbluebutton/bigbluebutton

Valid

Reported on

Oct 26th 2022

BigBlueButton 2.5.6 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png).

  • PoC:

1- Submit a request to /bigbluebutton/presentation/<conference>/<room>/<presentation name>/textfiles/<id>

2- A valid path needs to be present on the server to traverse from.

3- utilize a double encoded forward slash "/" to traverse (%252f)

Check the below screenshot for more details.

https://drive.google.com/file/d/1UayYuoU4wVud1DUa3jY7B2G63_sOkNKy/view?usp=sharing

  • Fix: Do input validation on the parameters being passed and strip dangerous characters.

Impact

Reading files with certain extensions that the client has no access to by default.

We are processing your report and will contact the bigbluebutton team within 24 hours. a year ago
We have contacted a member of the bigbluebutton team and are waiting to hear back a year ago
bigbluebutton/bigbluebutton maintainer
a year ago

Maintainer

Thanks for this submission. We're working on adding more validation.

We have sent a follow up to the bigbluebutton team. We will try again in 7 days. a year ago
We have sent a second follow up to the bigbluebutton team. We will try again in 10 days. a year ago
bigbluebutton/bigbluebutton maintainer modified the Severity from Low (3.7) to Low (3.1) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
bigbluebutton/bigbluebutton maintainer validated this vulnerability a year ago

Hey! Thanks for your report, we've assigned a developer to fix it.

Abdulmohsen Alotaibi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Abdulmohsen
3 months ago

Researcher

@bigbluebutton Hi team, I'd appreciate it if you could release a CVE on that from your end through Github.

Anton Georgiev
3 months ago

Maintainer

Hi @anndalotaibi,

I have requested a CVE from GitHub via https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84

It typically takes up to a day. I will keep you posted.

Anton Georgiev marked this as fixed in 2.6.0 with commit 6922bb a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Anton Georgiev published this vulnerability a month ago
to join this conversation