TID-323

TID-323: HTTP Path Traversal

Threat Description

A threat actor can send requests for files or content that resides in different directories from those intended to be accessible by the a web server. This can be used to gain access to data that is not intended to be remotely accessible through the web servers, such as files from the operating system or other applications. This threat is primarily a result of the web server having excessive privileges regarding files and directories on the device

Threat Maturity and Evidence

Observed Adversary Behavior
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
“Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.”

CWE

CWE-22: Path Traversal
“The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.”

CVE

CVE-2018-13379
“An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.”

CVE-2023-39810
“An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.”

IDS RTU 850 Directory Traversal Vulnerability - CVE-2015-3939
“Using this vulnerability, an attacker is able to access some files from the internal service interface of the communication module. One of the accessible files contains the credentials (passwords) to access the internal service interface via telnet.”

Honeywell XL Web Controller Directory Traversal Vulnerability - CVE-2015-0984
“By using a directory traversal vulnerability in the FTP server, it is possible to gain access to the web root directory.”

Device Properties: