Plack Middleware XSendfile Path Rewriting Vulnerability Allowing Arbitrary File Access

A vulnerability in Plack::Middleware::XSendfile, affecting versions through 1.0053, allows client-controlled path rewriting. This middleware can be exploited by sending crafted X-Sendfile-Type and X-Accel-Mapping headers, potentially leading to unauthorized access to files on the server. The issue arises when the middleware is used with an Nginx reverse proxy that does not properly validate these headers, allowing attackers to bypass proxy-level access controls and access sensitive application routes.

Impact

Exploitation of this vulnerability could bypass proxy-enforced restrictions, allowing access to internal endpoints intended to be protected, such as administrative pages.

Reproduction

To reproduce this vulnerability, enable Plack::Middleware::XSendfile in a Perl application running behind an Nginx reverse proxy. The proxy must be configured to pass through the X-Sendfile-Type and X-Accel-Mapping headers without validation. Once this setup is in place, send a request with a crafted X-Sendfile-Type header set to 'X-Accel-Redirect' and an X-Accel-Mapping header that maps to a sensitive file on the server.

Remediation

Users are advised to upgrade to Plack versions 1.0054 or later, where this vulnerability is addressed. For applications using Rack, upgrade to versions 2.2.20, 3.1.18, or 3.2.3, which require explicit configuration to enable 'X-Accel-Redirect'.