Algernon Web Server Host Header Path Traversal Vulnerability Allowing Arbitrary File Read and Lua Execution

A path traversal vulnerability has been identified in Algernon web server versions prior to 1.17.8. When the server is started with the --domain option (or --letsencrypt, which automatically enables --domain), the request handler resolves the directory to be served by combining the specified --dir option with the client-supplied Host header. This combination is done using filepath.Join without any validation, allowing a Host header value of .. to traverse up one directory level. As a result, files in the parent directory can be accessed, leading to arbitrary file reads, full directory listings, and execution of server-side Lua scripts if a .lua file is present. The vulnerability is particularly concerning in multi-domain HTTPS deployments using Let's Encrypt, where it can be exploited without the server operator's knowledge.

Impact

Exploitation of this vulnerability allows an unauthenticated remote attacker to read arbitrary files from the parent directory of the configured document root, enumerate that directory, and execute Lua scripts on the server side with the same privileges as the user running the Algernon process. In the default production configuration, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, first build the affected version of Algernon. Then, start the server with the --domain option, directing it to a directory that contains a file named SECRET.txt and a Lua script named pwn.lua. The SECRET.txt file should contain a sensitive message, while the pwn.lua file should include Lua code that, when executed, demonstrates the vulnerability, such as reading the SECRET.txt file or executing a command on the server.

Remediation

Users can update to Algernon version 1.17.8 or later, where this vulnerability has been fixed.