C++ HTTP Server Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in C++ HTTP Server versions prior to 1.0. The issue arises in the RequestHandler::handleRequest method, where the server fails to properly sanitize user-controlled URL paths in HTTP GET requests. This oversight allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by including '../' sequences in the request. The vulnerability exists because the application directly concatenates the unsanitized filename variable to the files_directory base path, enabling traversal outside the intended root. At the time of publication, no patch was available.

Impact

Exploitation of this vulnerability leads to unauthorized access to the server's filesystem, allowing attackers to read sensitive files.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the server with a path that includes '../' sequences to traverse directories. The server will process the request and, depending on the operating system, normalize the path. If successful, the server will open the requested file, bypassing directory restrictions.

Remediation

To address this vulnerability, input paths should be sanitized to reject any containing '..'. Additionally, paths should be canonicalized by resolving the absolute path of the requested file and verifying it starts with the canonical files_directory path before opening the file.