The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue.
Affected use-cases
Arbitrary file reading may occur if the following conditions are met:
-
The attacker must have access to the system, and must be able to read the output of
passenger-status --show=xml
. It is only possible for non-root users to see this in Passenger version 5.0.10 and higher. -
Passenger must be running as root. This is usually the case when using the Nginx or Apache integration mode (N.B. it doesn't matter what
user_switching
is set to). -
Attacker must be able to create a file (symlink) in the application root folder.
Passenger had a feature that allowed users to display customized information about their application, such as the revision, in the output of passenger-status
. It would scan for a file called REVISION
in the application's root and display its contents in passenger-status --show=xml
.
The issue is that since Passenger version 5.0.10, Passenger was modified to allow non-root users to also see the output of passenger-status
. If Passenger runs as root, and a malicious user is allowed to deploy their application to Passenger, they can symlink the REVISION
file to any file in the system to have its contents displayed through passenger-status
.
Fixed in Passenger Enterprise 5.1.10 and Passenger Open Source 5.1.11
We've removed reading of the REVISION
file to fix the arbitrary file read vulnerability.