Security advisory [CVE-2017-16355]: arbitrary file read vulnerability

The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue.

Affected use-cases

Arbitrary file reading may occur if the following conditions are met:

• The attacker must have access to the system, and must be able to read the output of passenger-status --show=xml. It is only possible for non-root users to see this in Passenger version 5.0.10 and higher.

• Passenger must be running as root. This is usually the case when using the Nginx or Apache integration mode (N.B. it doesn't matter what user_switching is set to).

• Attacker must be able to create a file (symlink) in the application root folder.

Passenger had a feature that allowed users to display customized information about their application, such as the revision, in the output of passenger-status. It would scan for a file called REVISION in the application's root and display its contents in passenger-status --show=xml.

The issue is that since Passenger version 5.0.10, Passenger was modified to allow non-root users to also see the output of passenger-status. If Passenger runs as root, and a malicious user is allowed to deploy their application to Passenger, they can symlink the REVISION file to any file in the system to have its contents displayed through passenger-status.

Fixed in Passenger Enterprise 5.1.10 and Passenger Open Source 5.1.11

We've removed reading of the REVISION file to fix the arbitrary file read vulnerability.