Algernon Web Server Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Algernon web server versions prior to 1.17.7. The issue arises when the server is requested to access a URL path that leads to a directory without an index file. In such cases, the server's directory handler recursively searches parent directories, beyond the configured server root, for a file named 'handler.lua'. This file, once found, is executed as the request handler, exposing the full Algernon API to the Lua interpreter. The vulnerability allows any process that can write 'handler.lua' in a parent directory of the server root to execute arbitrary code remotely, without authentication. This issue is particularly concerning in multi-tenant environments or shared hosting scenarios, where one user's actions can impact another's server instance.

Impact

Exploitation of this vulnerability allows for pre-authenticated remote code execution on the affected Algernon server.

Reproduction

To reproduce this vulnerability, upload a 'handler.lua' file to a parent directory of the Algernon server root that is writable by the server process. Then, start the Algernon server and make a request to a directory that does not have an index file. The server will execute the 'handler.lua' file, allowing for remote code execution.

Remediation

Users are advised to update to Algernon version 1.17.7 or later, where this vulnerability has been fixed.