uWSGI Path Traversal vulnerability
Description
uWSGI is a high-performance application server commonly used to serve Python, PHP, and other web applications. The uWSGI PHP plugin versions prior to 2.0.17 contain a path traversal vulnerability when the php-allowed-docroot option is not configured. This security flaw occurs due to insufficient validation of file paths when processing requests for resources under the DOCUMENT_ROOT directory specified by the php-docroot option. Attackers can exploit this weakness by using path traversal sequences (such as ..%2f) to access files outside the intended web root directory, bypassing directory restrictions.
Remediation
Apply the following remediation steps to address this vulnerability:
1. Upgrade uWSGI: Update to uWSGI version 2.0.17 or later, which includes a fix for this path traversal issue.
2. Configure php-allowed-docroot: If immediate upgrading is not possible, implement the php-allowed-docroot option as a temporary mitigation to explicitly restrict file access to authorized directories. Add this configuration to your uWSGI configuration file:
[uwsgi] php-docroot = /var/www/html php-allowed-docroot = /var/www/html
3. Verify Configuration: After applying changes, test that path traversal attempts are properly blocked and that legitimate application functionality remains intact.
4. Review Logs: Examine web server and application logs for any suspicious file access patterns that may indicate prior exploitation attempts.