New RAMADDA release fixing possible exploit

[Jeff McWhirter]

Hi all,

A user just notified me of a potential exploit in RAMADDA that could serve up any file on the server.

Basically, a URL of the form below was not being checked properly and the "somefile" would be returned even if somefile was outside of RAMADDA's allowed directories.

https://geodesystems.com/repository///../../somefile

So, for example, it is possible for the passwd file to be returned, e.g.:

https://geodesystems.com/repository///../../etc/passwd

For normal browser and wget/curl access the "../" components of the path get resolved and RAMADDA's access checks work fine but when these weren't getting resolved (e.g., with curl --path-as-is ...) then RAMADDA was not checking the files properly.

This was a big screw-up on my part and has been in existence for many years, probably since RAMADDA was first released in 2009. Over the years RAMADDA has been scanned by a number of different web vulnerability scanners in a number of organizations and this exploit has not been found until now.

If you have access logs and want to check if your server has been accessed in this manner you can grep your logs with:

grep "/\.\./" access.log

You'll get something like:

174.63.70.130 [2022-01-13 00:05:37 UTC] "GET /repository//../test.txt HTTP/1.1" "-" "curl/7.54.0" 404 0

In the above case the 404 says the file was not found. If the file was found and returned you would see a 200 return code.

I have fixed this problem and have made a new release at -

https://geodesystems.com/repository/a/release

My apologies if this causes anyone any problems

-Jeff