• Event Overview: XBOW, which shifted focus from benchmarks to real-world applications after the Humans vs AI experiment, is sharing interesting vulnerabilities found in real-world, open-source targets. This blog post discusses a critical vulnerability found in Scoold, an open-source Q&A platform similar to Stack Overflow used by companies like Cisco, IBM, Siemens, and Roblox.
• Vulnerability Details: Allows unauthenticated attackers to bypass authentication and read or modify the application config including sensitive API secrets. It can also be used to read arbitrary files on the remote target due to a feature of the HOCON configuration language.
• Discovery Process: XBOW was provided with the app description, code, and task to find a file read exploit. It started with code analysis using javap and tried to find a stack overflow. Then it fuzzed endpoints using ffuf and discovered the need for authentication. It built a Python script to test path manipulations and found an authentication bypass using a semicolon in the path. Finally, it used the HOCON include directive to achieve arbitrary file reads.
• Fixing the Issue: The Scoold developers quickly released a patch fixing the authentication bypass vulnerability. The root cause was using getRequestURI() without path normalization, similar to issues seen in other Java webapps. XBOW also applied for a CVE (CVE-2024-50334) and will share more findings in the coming weeks to improve open source security.