oxyno-zeta s3-proxy Authentication Bypass Vulnerability Allowing Unauthorized S3 Actions

A vulnerability in oxyno-zeta/s3-proxy prior to version 5.0.0 allows authentication bypass, enabling unauthorized actions on S3 objects. This issue arises from inconsistent URL path handling between the authentication middleware and the bucket handler. The authentication middleware processes percent-encoded request URIs, while the bucket handler uses decoded paths. This discrepancy, coupled with the glob library's path-matching behavior, allows attackers to manipulate object keys and access protected S3 resources. Exploitation can be achieved by traversing paths with encoded slashes or dot segments, or by exploiting prefix patterns that match across path boundaries.

Impact

Exploitation of this vulnerability allows unauthenticated users to perform PUT, GET, or DELETE operations on S3 objects in protected namespaces, bypassing authentication requirements.

Reproduction

To reproduce this vulnerability, send a request to an S3 endpoint managed by the oxyno-zeta/s3-proxy server version 5.0.0 or earlier. The request should include a path that exploits the authentication bypass, such as one that traverses from an open route to a restricted one using encoded slashes or dot segments. This can be done by crafting a URL that takes advantage of the glob pattern matching behavior, such as '/upload/foo%2Frestricted/drafts/' or '/open/foo/drafts/../restricted/'.

Remediation

Users can upgrade to oxyno-zeta/s3-proxy version 5.0.0 or later, where this vulnerability has been fixed.