CVE-2021-47724
📋 TL;DR
STVS ProVision 5.9.10 contains an authenticated path traversal vulnerability in its archive download functionality. Authenticated attackers can manipulate the files parameter in GET requests to /archive/download to read arbitrary system files, including sensitive files like /etc/passwd. This affects organizations using STVS ProVision 5.9.10.
💻 Affected Systems
- STVS ProVision
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files, password hashes, SSH keys, and other critical data, potentially leading to full system compromise.
Likely Case
Authenticated users or attackers who gain credentials can exfiltrate sensitive configuration files and user data from the server.
If Mitigated
With proper authentication controls and input validation, exploitation would be prevented or limited to authorized users only.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and other sources. Requires authentication but is trivial to execute once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://www.stvs.ch
Restart Required: No
Instructions:
Check with STVS for updated versions or patches. No specific patch version is documented in public sources.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to block directory traversal sequences (../, ..\) in the files parameter.
# Modify application code to sanitize input
# Example in Ruby: files_param.gsub!(/\.\.\//, '')
Access Control Restriction
linuxRestrict access to the /archive/download endpoint to only trusted users or IP addresses.
# Example using web server config (nginx)
# location /archive/download { deny all; }
🧯 If You Can't Patch
- Implement strict authentication and authorization controls to limit access to authenticated users only.
- Deploy a web application firewall (WAF) with rules to detect and block path traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Send a GET request to /archive/download?files=../../../etc/passwd as an authenticated user and check if the /etc/passwd file contents are returned.Check Version:
Check the application version in the admin interface or configuration files. For STVS ProVision, version should be displayed in the web interface.Verify Fix Applied:
After applying fixes, attempt the same request and verify that it returns an error or sanitized output instead of file contents.📡 Detection & Monitoring
Log Indicators:
- GET requests to /archive/download with ../ sequences in parameters
- Unusual file access patterns from authenticated users
Network Indicators:
- HTTP requests containing directory traversal patterns (../, ..\) in URL parameters
SIEM Query:
source="web_logs" AND url="/archive/download" AND (url_query CONTAINS "../" OR url_query CONTAINS "..\")