Security Advisory

FusionAuth Unauthenticated Local File Disclosure

By exploiting an sanitzation issue in the handler for static files, an adversary can gain access to local files on the FusionAuth system.

Advisory ID: MLSA-2023-004
CVE: none
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: high
Affected versions: ≥ 1.37.0
Fixed versions: ≥ 1.46.0
Discovered by: Hans-Martin Münch, Timo Müller

Product description

FusionAuth is the customer authentication and authorization platform that makes developers’ lives awesome. You’ll get all the features your app needs plus a customizable, scalable solution you can run on any computer, anywhere in the world.

Details

FusionAuth makes use of the Prime MVC framework for the web frontend. In Prime MVC incoming HTTP requests are passed through multiple workflow handlers. The following code snippet shows the “perform” method from the StaticResourceWorkflow class which is responsible for serving static files.

 1  public void perform(WorkflowChain workflowChain) throws IOException {
 2    boolean handled = false;
 3
 4    // Ensure that this is a request for a resource and not a class
 5    String uri = HTTPTools.getRequestURI(request);
 6    String sanitized = HTTPTools.sanitizeURI(uri);
 7    if (sanitized == null) {
 8      logger.debug("Unable to load static resource at uri [{}]", uri);
 9      workflowChain.continueWorkflow();
10      return;
11    }
12
13    try {
14      handled = findStaticResource(uri, request, response);
15    } catch (RuntimeException | IOException e) {
16      logger.error("Unable to load static resource at uri [{}]", uri);
17      throw e;
18    }
19
20    if (!handled) {
21      workflowChain.continueWorkflow();
22    }
23  }

The HTTPTools.sanitizeURI() method attempts to sanitize the user-controlled URI. Due to an issue in the sanitization code, it was possible to bypass the existing filter and access arbitrary files on the file system.

Because FusionAuth runs as an unprivileged user, the process does not have read access to any sensitive files. The exception is the FusionAuth configuration file (which may contain a database password).

Coordinated Disclosure Timeline

  • 25/05/2023 Initial contact with the FusionAuth, sending security report.
  • 25/05/2023 Acknowledgement by FusionAuth, working on a security update.
  • 23/06/2023 FusionAuth releases version 1.46.0, sends security notice to customers.