CVE-2019-15596

Vulnerability

Overview

The statics-server package (likely a static file server) contains a path traversal vulnerability in all versions. The root cause is improper handling of symbolic links (symlinks) within the server's working directory. When a symlink is present, the server fails to validate that the resolved path stays within the intended root directory, allowing an attacker to traverse outside the web root [1].

Exploitation

An attacker can exploit this by placing or leveraging an existing symlink that points to a directory outside the server's root. No authentication is required if the server is publicly accessible. The attacker simply crafts a request that includes the symlink path, causing the server to serve files from the linked location. The attack surface is the HTTP endpoint that serves static files [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server's filesystem, such as configuration files, source code, or sensitive data. This can lead to information disclosure and potentially further compromise of the system [1].

Mitigation

As of the publication date (2019-12-18), no patch was available for all versions. Users should avoid using symlinks within the server's working directory or switch to an alternative static file server that properly validates symlinks. The vulnerability was reported via HackerOne [1].