OpenBullet2 Path Traversal Vulnerability in Wordlist Endpoint Allows Arbitrary File Operations and Remote Code Execution

A path traversal vulnerability has been identified in OpenBullet2 versions through 0.3.2, specifically within the wordlist endpoint. This vulnerability allows authenticated attackers to read, write, and delete arbitrary files by providing unsanitized absolute paths to the upload handler and wordlist functions. Exploitation of this vulnerability can lead to remote code execution by manipulating critical system files, such as /etc/passwd, since the application runs as root by default.

Impact

Exploitation of this vulnerability allows for arbitrary file read, write, and delete operations, which can be chained to achieve remote code execution by manipulating system files like /etc/passwd or /etc/shadow.

Reproduction

To reproduce this vulnerability, upload a file through the wordlist upload form, specifying an absolute path in the file name. The upload handler will process the file without sanitizing the path, allowing for traversal and manipulation of sensitive files. After uploading, the same endpoint can be used to load files from the system, bypassing the existing wordlist file overwrite restriction by targeting specific file paths.

Remediation

The vulnerability can be fixed by sanitizing file names to prevent path traversal, rejecting empty names or those with invalid characters, and ensuring that uploaded files are only saved within the allowed directory. Additionally, the application should not run as root by default.