A path traversal flaw was found in eDeploy's session parameter handler. A remote attacker could use this flaw to create arbitrary directories on the server, potentially leading to a denial-of-service.
Acknowledgements: This issue was discovered by Andrew Griffiths of Red Hat Product Security.
upload.py: # If the filename ends with a .log, we need to process it as a log file [1] if ('file' in form) and (form['file'].filename.endswith('.log.gz')): logitem = form['file'] logfile = logitem.file try: # Let's save the file in LOGDIR directory log_dir = os.path.normpath(config_get('SERVER', 'LOGDIR', cfg_dir)) + '/' [2] filename = os.path.join(log_dir, logitem.filename) output_file = open(filename, 'w') output_file.write(logfile.read(-1)) output_file.close() except Exception, xcpt: # If we fails at saving, let's exit fatal_error("exception while saving log file: %s" % str(xcpt)) sys.exit(1) # If the succeed at saving log file, let's also exit # In fact we have nothing more to do once its saved. log('Log file %s saved' % logitem.filename) sys.exit(0) 1 - if the file is specified ending with .log.gz, at [2], we can write an arbitrary file due to an unsanitized filename like ../../../../../../../var/log/whatever.log.gz if the httpd is overly privileged, etc. upload.py returns python code to be executed on the client: sys.stdout.write(''' import commands import os import sys import hpacucli import ipmi import time ... upload-health.py if form.getvalue('session'): dest_dir = cfg_dir + form.getvalue('session') + '/' + dirname else: dest_dir = cfg_dir + '/' + dirname try: if not os.path.isdir(dest_dir): os.makedirs(dest_dir) session = a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z for fast fs directory making attack, can return arbitrary shell commands to be ran: '''Report a shell script with the error message and log the message on stderr.''' print('''#!/bin/sh cat <<EOF %s EOF exit 1 ''' % error)
This is now filed publicly https://github.com/enovance/edeploy/issues/231
Statement: Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.