# aiohttp.web.static(follow_symlinks=True)易受目录遍历攻击
## 概述
aiohttp 是一个用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。当作为 Web 服务器使用并配置静态路由时,需要指定静态文件的根路径。`follow_symlinks` 选项控制是否跟随静态根目录之外的符号链接。如果 `follow_symlinks` 设置为 `True`,则不会验证所读取的文件是否在根目录内,可能导致目录遍历漏洞,从而未经授权访问系统中的任意文件。即使没有符号链接存在,也会发生这种情况。
## 影响版本
- 所有版本,已由版本 3.9.2 修复
## 细节
当使用 aiohttp 作为 Web 服务器并配置静态路由时,配置项 `follow_symlinks` 控制是否跟随静态根目录之外的符号链接。如果 `follow_symlinks` 为 `True`,aiohttp 不会检查所访问文件是否位于根目录内,可能导致目录遍历漏洞。即使不存在符号链接,也存在该漏洞。使用版本 3.9.2 可以修复这一问题。
## 影响
- 未经授权的文件访问
- 潜在的安全风险,如敏感信息泄露
- 建议禁用 `follow_symlinks` 并使用反向代理进行缓解
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | CVE-2024-23334 | https://github.com/ox1111/CVE-2024-23334 | POC详情 |
| 2 | None | https://github.com/sxyrxyy/aiohttp-exploit-CVE-2024-23334-certstream | POC详情 |
| 3 | A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1 | https://github.com/z3rObyte/CVE-2024-23334-PoC | POC详情 |
| 4 | aiohttp LFI (CVE-2024-23334) | https://github.com/jhonnybonny/CVE-2024-23334 | POC详情 |
| 5 | This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334. | https://github.com/brian-edgar-re/poc-cve-2024-23334 | POC详情 |
| 6 | Expolit for CVE-2024-23334 (aiohttp >= 1.0.5> && <=3.9.1) | https://github.com/binaryninja/CVE-2024-23334 | POC详情 |
| 7 | A proof of concept of the LFI vulnerability on aiohttp 3.9.1 | https://github.com/s4botai/CVE-2024-23334-PoC | POC详情 |
| 8 | Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1 | https://github.com/wizarddos/CVE-2024-23334 | POC详情 |
| 9 | None | https://github.com/Pylonet/CVE-2024-23334 | POC详情 |
| 10 | Proof of concept of the parh traversal in python AioHTTP library =< 3.9.1 | https://github.com/Arc4he/CVE-2024-23334-PoC | POC详情 |
| 11 | Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1. | https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC | POC详情 |
| 12 | This repository is a proof of concept (POC) for CVE-2024-23334, demonstrating an attempt to replicate the bug in aiohttp that leads to Local File Inclusion (LFI). | https://github.com/Betan423/CVE-2024-23334-PoC | POC详情 |
| 13 | A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1 | https://github.com/BestDevOfc/CVE-2024-23334-PoC | POC详情 |
| 14 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-23334.yaml | POC详情 |
| 15 | https://github.com/vulhub/vulhub/blob/master/python/CVE-2024-23334/README.md | POC详情 | |
| 16 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80%E6%BC%8F%E6%B4%9E/Python%20aiohttp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E%20CVE-2024-23334.md | POC详情 |
暂无评论