Roxy-WI Arbitrary File Read Vulnerability in HAProxy Section Save Interface

An arbitrary file read vulnerability has been identified in Roxy-WI versions prior to 8.2.6.4. The issue arises in the HAProxy section save interface, specifically with the oldconfig parameter, which is used to manage configuration files. The vulnerability allows unauthorized reading of files from the server.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, which could lead to the disclosure of sensitive information from the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/config/section/haproxy/<server_ip>/save' endpoint. Include a JSON payload that specifies the 'oldconfig' parameter with the path of the file to be read, such as '/etc/passwd'. The 'start_line' and 'end_line' parameters can be set to 0, and the 'config' parameter can be left empty. The response will contain the contents of the specified file, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to Roxy-WI version 8.2.6.4 or later, where this vulnerability has been fixed.