CVE-2021-47899
📋 TL;DR
This vulnerability in YetiShare File Hosting Script allows attackers to perform server-side request forgery (SSRF) through the remote file upload feature. By manipulating the url parameter in the url_upload_handler endpoint with file:/// protocol, attackers can read sensitive local system files like /etc/passwd. This affects all users running YetiShare 5.1.0.
💻 Affected Systems
- YetiShare File Hosting Script
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, potentially obtaining credentials, configuration files, or other sensitive data, leading to further system compromise.
Likely Case
Attackers read local files like /etc/passwd to gather system information for reconnaissance or to obtain sensitive configuration data.
If Mitigated
With proper input validation and URL filtering, the vulnerability would be blocked, preventing file access.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 49534), making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.1 or later
Vendor Advisory: https://yetishare.com
Restart Required: No
Instructions:
1. Download the latest version from the official YetiShare website. 2. Backup your current installation. 3. Replace the affected files with the patched version. 4. Verify the fix by testing the url_upload_handler endpoint.
🔧 Temporary Workarounds
Disable Remote File Upload
allTemporarily disable the remote file upload feature to prevent exploitation.
Edit the configuration file to set 'enable_remote_upload' to false or comment out the url_upload_handler endpoint.
Input Validation Filter
allImplement server-side validation to block file:/// protocol in URL parameters.
Add validation in the url_upload_handler to reject URLs starting with 'file://'.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) rule to block requests containing 'file://' in the URL parameter.
- Restrict network access to the YetiShare instance to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Test the url_upload_handler endpoint by sending a POST request with a URL parameter set to 'file:///etc/passwd' and check if the file content is returned.Check Version:
Check the version in the admin panel or look for version information in the script files.Verify Fix Applied:
After patching, repeat the test with 'file:///etc/passwd' and ensure no file content is returned or an error is shown.📡 Detection & Monitoring
Log Indicators:
- Log entries showing requests to url_upload_handler with 'file://' in the URL parameter.
- Unusual file access attempts from the web server process.
Network Indicators:
- HTTP POST requests to /url_upload_handler with file:// URLs in the payload.
SIEM Query:
source="web_logs" AND url="*url_upload_handler*" AND request_body="*file://*"