CVE-2021-29024
📋 TL;DR
CVE-2021-29024 is a directory traversal vulnerability in InvoicePlane that allows unauthenticated attackers to list directories and download files that should be protected. This affects all users running vulnerable versions of InvoicePlane with default configurations. Sensitive files like configuration files, invoices, and user data could be exposed.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive business data including financial records, customer information, and system credentials leading to data breach, financial fraud, or further system compromise.
Likely Case
Exposure of sensitive files containing configuration details, invoice data, or user information that could be used for targeted attacks or data theft.
If Mitigated
Limited exposure of non-sensitive files or complete prevention if proper access controls and web server configurations are implemented.
🎯 Exploit Status
Exploitation requires no authentication and can be performed with simple HTTP requests. Public proof-of-concept demonstrates directory traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.12
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/pull/754
Restart Required: Yes
Instructions:
1. Backup your InvoicePlane installation and database. 2. Download InvoicePlane 1.5.12 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart your web server. 5. Verify the fix by testing directory traversal attempts.
🔧 Temporary Workarounds
Web Server Configuration Hardening
allConfigure web server to deny directory listing and restrict access to sensitive directories
# For Apache: Add 'Options -Indexes' to .htaccess or virtual host config
# For Nginx: Add 'autoindex off;' to server block configuration
Access Control Rules
allImplement IP-based restrictions or authentication for sensitive directories
# Example Apache .htaccess for directory protection
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict network access controls to limit InvoicePlane access to trusted IP addresses only
- Deploy a web application firewall (WAF) with rules to block directory traversal attempts and unauthorized file access
🔍 How to Verify
Check if Vulnerable:
Attempt to access sensitive directories like /uploads/ or /application/config/ without authentication. If directory listing is visible or files can be downloaded, the system is vulnerable.Check Version:
Check the version.php file in the InvoicePlane root directory or use: grep "IP_VERSION" application/config/version.phpVerify Fix Applied:
After patching, attempt the same directory traversal requests. They should return 403 Forbidden or 404 Not Found errors instead of directory listings or file contents.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to directory traversal patterns
- Requests to sensitive paths like /uploads/, /application/config/, /vendor/ without referrer or authentication
Network Indicators:
- Unusual patterns of file downloads from InvoicePlane directories
- HTTP requests with ../ sequences or attempts to access protected directories
SIEM Query:
web_access_logs | where url contains "../" or url contains "/uploads/" or url contains "/application/config/" | where response_code = 200🔗 References
- https://github.com/InvoicePlane/InvoicePlane/pull/754
- https://notnnor.github.io/research/2021/03/17/files-or-directories-accessible-to-external-parties-in-invoiceplane.html
- https://github.com/InvoicePlane/InvoicePlane/pull/754
- https://notnnor.github.io/research/2021/03/17/files-or-directories-accessible-to-external-parties-in-invoiceplane.html
