CVE-2021-41714
📋 TL;DR
CVE-2021-41714 is a path traversal vulnerability in Tipask Q&A software that allows authenticated users to download arbitrary files from the server by manipulating attachment download parameters. This affects Tipask installations before version 3.5.9 and can lead to sensitive information disclosure including configuration files, system files, and application logs.
💻 Affected Systems
- Tipask
📦 What is this software?
Tipask by Tipask
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download sensitive files like database credentials, SSH keys, or system configuration files, potentially leading to full server compromise, data theft, or lateral movement within the network.
Likely Case
Registered users exploit the vulnerability to download configuration files (.env), system files (/etc/passwd), or application logs, resulting in information disclosure that could enable further attacks.
If Mitigated
With proper file permissions and network segmentation, impact is limited to files accessible by the web server user, but sensitive configuration data could still be exposed.
🎯 Exploit Status
Exploitation requires authenticated access. Public proof-of-concept demonstrates simple path traversal via attachment download parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.9
Vendor Advisory: https://github.com/sdfsky/tipask/commit/9b5f13d1708e9a5dc0959cb8a97be1c32b94ca69
Restart Required: No
Instructions:
1. Backup your Tipask installation and database. 2. Download Tipask 3.5.9 or later from the official repository. 3. Replace the vulnerable files, particularly app/Http/Controllers/AttachController.php. 4. Verify the fix by checking that path validation is implemented in the download function.
🔧 Temporary Workarounds
Input Validation Middleware
allImplement server-side validation to sanitize file path parameters before processing
Add path sanitization in the download controller to prevent directory traversal
File Permission Restrictions
linuxRestrict web server user permissions to prevent access to sensitive directories
chmod 600 /path/to/sensitive/files
chown root:root /etc/passwd /etc/shadow
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns in URLs
- Restrict user registration and monitor authenticated user activity for suspicious file download patterns
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can download files outside the intended attachment directory by manipulating the file parameter in download requestsCheck Version:
Check the Tipask version in the admin panel or examine the application's version fileVerify Fix Applied:
Verify that path traversal attempts (e.g., '../../etc/passwd') are blocked and return appropriate error messages📡 Detection & Monitoring
Log Indicators:
- Unusual file download patterns
- Requests containing '../' sequences in file parameters
- Failed attempts to access sensitive system paths
Network Indicators:
- HTTP requests with path traversal sequences in URL parameters
- Multiple download requests from single authenticated users
SIEM Query:
web.url:*../* AND web.method:GET AND web.status:200🔗 References
- https://github.com/sdfsky/tipask/blob/c4e6aa9f6017c9664780570016954c0922d203b7/app/Http/Controllers/AttachController.php#L42
- https://github.com/sdfsky/tipask/commit/9b5f13d1708e9a5dc0959cb8a97be1c32b94ca69
- https://www.yuque.com/henry-weply/penetration/fza5hm
- https://github.com/sdfsky/tipask/blob/c4e6aa9f6017c9664780570016954c0922d203b7/app/Http/Controllers/AttachController.php#L42
- https://github.com/sdfsky/tipask/commit/9b5f13d1708e9a5dc0959cb8a97be1c32b94ca69
- https://www.yuque.com/henry-weply/penetration/fza5hm
