CVE-2018-7490
published 2018-02-26CVE-2018-7490: uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
70.81%
99.3th percentile
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | uwsgi | < uwsgi 2.0.15-10.4 (bookworm) | uwsgi 2.0.15-10.4 (bookworm) |
| unbit | uwsgi | < 2.0.17 | 2.0.17 |
| unbit | uwsgi | >= 0 < 2.0.15-10.4 | 2.0.15-10.4 |
| unbit | uwsgi | >= 0 < 2.0.15-10.4 | 2.0.15-10.4 |
| unbit | uwsgi | >= 0 < 2.0.15-10.4 | 2.0.15-10.4 |
| unbit | uwsgi | >= 0 < 2.0.15-10.4 | 2.0.15-10.4 |
| unbit | uwsgi | >= 0 < 2.0.17 | 2.0.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for URL-encoded path traversal sequences '..%2f' in HTTP request paths targeting uWSGI PHP plugin endpoints. The traversal pattern uses percent-encoded forward slashes to bypass DOCUMENT_ROOT checks. ↗
- →Monitor uWSGI server logs for the security error message indicating a traversal attempt was made but the file contents may still have been returned to the attacker. ↗
- →Match HTTP response body for /etc/passwd content (regex: root:.*:0:0:) on requests containing '..%2f' sequences to confirm successful exploitation.
- →Vulnerability is only exploitable when uWSGI is run with --php-docroot option and without --php-allowed-docroot. Audit uWSGI configurations for use of --php-docroot without --php-allowed-docroot on versions before 2.0.17. ↗
- ·The directory traversal is only exploitable when uWSGI is run as a standalone server (without a front-end web server) using the --php-docroot option. Using --php-allowed-docroot instead mitigates the vulnerability. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
uWSGI Directory Traversal vulnerability
ghsa·2022-05-14
CVE-2018-7490 [HIGH] CWE-22 uWSGI Directory Traversal vulnerability
uWSGI Directory Traversal vulnerability
uWSGI before 2.0.17 mishandles a `DOCUMENT_ROOT` check during use of the `--php-docroot` option, allowing directory traversal.
OSV
uWSGI Directory Traversal vulnerability
osv·2022-05-14
CVE-2018-7490 [HIGH] uWSGI Directory Traversal vulnerability
uWSGI Directory Traversal vulnerability
uWSGI before 2.0.17 mishandles a `DOCUMENT_ROOT` check during use of the `--php-docroot` option, allowing directory traversal.
OSV
CVE-2018-7490: uWSGI before 2
osv·2018-02-26·CVSS 7.5
CVE-2018-7490 [HIGH] CVE-2018-7490: uWSGI before 2
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
Debian
CVE-2018-7490: uwsgi - uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-doc...
vendor_debian·2018·CVSS 7.5
CVE-2018-7490 [HIGH] CVE-2018-7490: uwsgi - uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-doc...
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
Scope: local
bookworm: resolved (fixed in 2.0.15-10.4)
bullseye: resolved (fixed in 2.0.15-10.4)
forky: resolved (fixed in 2.0.15-10.4)
sid: resolved (fixed in 2.0.15-10.4)
trixie: resolved (fixed in 2.0.15-10.4)
No detection rules found.
Exploit-DB
uWSGI < 2.0.17 - Directory Traversal
exploitdb·2018-03-02·CVSS 7.5
CVE-2018-7490 [HIGH] uWSGI < 2.0.17 - Directory Traversal
uWSGI < 2.0.17 - Directory Traversal
---
# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application
OVERVIEW
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".
A remote attacker could exploit this weakness to read arbitrary files
Nuclei
uWSGI PHP Plugin Local File Inclusion
nuclei·CVSS 7.5
CVE-2018-7490 [HIGH] uWSGI PHP Plugin Local File Inclusion
uWSGI PHP Plugin Local File Inclusion
uWSGI PHP Plugin before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, making it susceptible to local file inclusion.
Template:
id: CVE-2018-7490
info:
name: uWSGI PHP Plugin Local File Inclusion
author: madrobot
severity: high
description: uWSGI PHP Plugin before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, making it susceptible to local file inclusion.
impact: |
An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
remediation: |
Update to the latest version of uWSGI PHP Plugin or apply the necessary patches to fix the local file inclusion vulnerability.
reference:
- https://uwsgi-docs.readthedocs.io/en/latest/Ch
Bugzilla
CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal
bugzilla·2018-02-27·CVSS 7.5
CVE-2018-7490 [HIGH] CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal
CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
Upstream Changelog:
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
Discussion:
Created uwsgi tracking bugs for this issue:
Affects: epel-all [bug 1549439]
Affects: fedora-all [bug 1549438]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal [epel-all]
bugzilla·2018-02-27·CVSS 7.5
CVE-2018-7490 [HIGH] CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal [epel-all]
CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
Bugzilla
CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal [fedora-all]
bugzilla·2018-02-27·CVSS 7.5
CVE-2018-7490 [HIGH] CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal [fedora-all]
CVE-2018-7490 uWSGI: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
N
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.htmlhttps://www.debian.org/security/2018/dsa-4142https://www.exploit-db.com/exploits/44223/https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.htmlhttps://www.debian.org/security/2018/dsa-4142https://www.exploit-db.com/exploits/44223/
2018-02-26
Published