Ferret Path Traversal Vulnerability in IO::FS::WRITE Allows Arbitrary File Write

A path traversal vulnerability has been identified in Ferret versions prior to 2.0.0-alpha.4. The issue resides in the IO::FS::WRITE standard library function, where user-supplied file paths are passed directly to the file system without proper sanitization. This vulnerability allows a malicious website to manipulate file paths and write arbitrary files to the filesystem of the machine running Ferret. Exploitation occurs when an operator scrapes a website that returns filenames with '../' sequences, using those names to construct output paths—a common scraping practice. The attacker can control both the destination path and the content of the files being written. This flaw could lead to remote code execution by overwriting cron jobs, SSH authorized_keys, shell profiles, or by placing web shells on the server.

Impact

Successful exploitation allows for arbitrary file writes with controlled content, potentially leading to remote code execution by overwriting sensitive files such as cron jobs, SSH authorized_keys, or web shell locations.

Reproduction

The vulnerability can be reproduced by hosting a malicious server that returns crafted filenames with traversal sequences. When Ferret scrapes this server's response, it writes the files outside the intended directory, confirming the path traversal vulnerability.

Remediation

Users are advised to update to Ferret version 2.0.0-alpha.4 or later, where this vulnerability has been fixed.