BrowserOperator Browser-Operator-Core Path Traversal Vulnerability in Component Server

A path traversal vulnerability has been identified in BrowserOperator's browser-operator-core, specifically in version 0.6.0. The issue arises in the component server's script, where the function 'startsWith' improperly handles the 'request.url' argument. This mismanagement allows attackers to manipulate the URL and traverse outside the intended directory, potentially accessing sensitive files. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for unauthorized file read access, bypassing intended directory restrictions. This could lead to exposure of sensitive information from files that are readable by the component server process.

Reproduction

To reproduce this vulnerability, send a GET request to the component server's HTTP endpoint with a crafted 'request.url' that includes '../' sequences to traverse outside the allowed directory. This can be done using curl or similar tools. The vulnerability can also be reproduced in '--traces' mode by accessing sibling directories with the same prefix, bypassing the weak boundary checks.

Remediation

No specific remediation is known, but it is advised not to expose the component server to untrusted users and to avoid running it in directories with sensitive files.