CVE-2022-1850
📋 TL;DR
CVE-2022-1850 is a path traversal vulnerability in FileGator that allows attackers to access files outside the intended directory. This affects all FileGator installations prior to version 7.8.0. Attackers can potentially read sensitive system files or application configuration files.
💻 Affected Systems
- FileGator
📦 What is this software?
Filegator by Filegator
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, SSH keys, database credentials, or application configuration files containing secrets.
Likely Case
Unauthorized access to sensitive files within the web server's accessible directory tree, potentially exposing user data, configuration files, or source code.
If Mitigated
Limited impact if proper file permissions and web server configurations restrict access to sensitive directories.
🎯 Exploit Status
Exploitation requires authenticated access to FileGator. The vulnerability is in the file browsing functionality where directory traversal sequences are not properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.8.0
Vendor Advisory: https://github.com/filegator/filegator/commit/6e2b68f17f48cdc1d6a4a93a2369d2069fe64989
Restart Required: Yes
Instructions:
1. Backup your current FileGator installation and configuration. 2. Download FileGator version 7.8.0 or later from the official GitHub repository. 3. Replace the existing installation with the new version. 4. Restart your web server (Apache/Nginx) and PHP-FPM if applicable.
🔧 Temporary Workarounds
Restrict File Access via Web Server Configuration
allConfigure web server to block directory traversal attempts and restrict access to sensitive directories.
# For Apache: Add to .htaccess or virtual host config
<LocationMatch "\.\.">
Order Deny,Allow
Deny from all
</LocationMatch>
# For Nginx: Add to server block
location ~ /\.\./ {
deny all;
return 403;
}
Implement Web Application Firewall (WAF) Rules
allAdd WAF rules to block path traversal patterns in HTTP requests.
# Example ModSecurity rule
SecRule ARGS "@contains ../" "id:1001,phase:2,deny,status:403,msg:'Path Traversal Attempt'"
# Example Cloudflare WAF rule: Block requests containing '../' in URL or parameters
🧯 If You Can't Patch
- Implement strict file permission controls to limit what files the web server user can access.
- Deploy a web application firewall (WAF) with path traversal detection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Check if FileGator version is below 7.8.0 by examining the version file or checking the admin interface. Test by attempting to access files using '../' sequences in file browsing functionality.Check Version:
Check the version.php file in the FileGator installation directory or look for version information in the admin interface.Verify Fix Applied:
After upgrading to 7.8.0 or later, verify that directory traversal attempts (using '../') are properly blocked and return appropriate error messages.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences in URL parameters
- Multiple 403 or 404 errors from the same IP attempting to access various directory paths
- Unusual file access patterns from authenticated users
Network Indicators:
- HTTP requests with encoded directory traversal sequences (%2e%2e%2f, ..%2f)
- Multiple failed attempts to access files outside normal directory structure
SIEM Query:
source="web_server_logs" AND (url="*../*" OR params="*../*") AND status_code="200"🔗 References
- https://github.com/filegator/filegator/commit/6e2b68f17f48cdc1d6a4a93a2369d2069fe64989
- https://huntr.dev/bounties/07755f07-a412-4911-84a4-2f8c03c8f7ce
- https://github.com/filegator/filegator/commit/6e2b68f17f48cdc1d6a4a93a2369d2069fe64989
- https://huntr.dev/bounties/07755f07-a412-4911-84a4-2f8c03c8f7ce
