copyparty 1.8.2 - Directory Traversal

Understanding the Copyparty 1.8.2 Directory Traversal Vulnerability (CVE-2023-37474)

Security researchers have identified a critical directory traversal vulnerability in Copyparty versions prior to 1.8.2, assigned the CVE identifier CVE-2023-37474. This flaw enables remote attackers to access sensitive system files—such as /etc/passwd—by manipulating the path in HTTP requests, bypassing intended file access restrictions.

What is Copyparty?

Copyparty is a lightweight, portable file-sharing server built for simplicity and ease of use. It allows users to share files over a local network or the internet without requiring complex setup. Designed for quick deployment, it runs on a single port (default: 3923) and serves files via a web interface. The software is open-source and hosted on GitHub, making it popular among developers, educators, and casual users.

How Directory Traversal Works

Directory traversal (also known as path traversal or dot-dot slash attacks) exploits improper input validation in web applications. When a server accepts user-supplied file paths without sanitization, an attacker can use sequences like ../ or %2F (URL-encoded /) to navigate outside the intended directory root.

For example, if a server expects files to be served from /var/www/files, an attacker might request /var/www/files/../etc/passwd, effectively accessing system-level files.

Exploiting Copyparty 1.8.2

Researchers discovered that Copyparty versions before 1.8.2 improperly handle requests to the .cpr subfolder. This subfolder is intended to store configuration or metadata files, but due to a lack of path validation, it allows arbitrary directory traversal.

curl -i -s -k -X GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'

Explanation: This command sends a GET request to the Copyparty server at 127.0.0.1:3923, targeting the .cpr directory with a URL-encoded path /etc/passwd. The %2F represents a forward slash, and the server fails to validate or restrict this path, resulting in the file being served directly.

Upon successful exploitation, the response will include the contents of /etc/passwd, which contains user account information—such as usernames, UID, GID, and home directories. This data can be leveraged for further attacks, including privilege escalation or credential harvesting.

Impact and Risks

The vulnerability poses significant risks, especially in environments where Copyparty is deployed on public or untrusted networks:

• Information Disclosure: Attackers can read sensitive system files, including password hashes, configuration data, and system logs.
• Remote Code Execution: In some cases, access to configuration files may expose paths to executable scripts or shell commands.
• Privilege Escalation: With knowledge of user accounts and their permissions, attackers can target weak credentials or misconfigured access controls.
• Denial of Service: Malicious requests could overwhelm the server with invalid paths, leading to resource exhaustion.

Technical Analysis: Why the Vulnerability Exists

The root cause lies in the lack of path normalization and validation within the file-serving logic. Specifically, the server does not:

• Sanitize input paths (e.g., removing .. sequences).
• Check if the requested file is within the allowed directory.
• Use a whitelist of allowed file extensions or paths.

Instead, it directly uses the provided path, allowing attackers to traverse into parent directories and access arbitrary files.

Mitigation and Best Practices

Developers and system administrators should take the following steps to prevent similar vulnerabilities:

• Input Validation: Always validate and sanitize user-supplied paths using libraries like pathlib or os.path.normpath in Python.
• Whitelist Allowed Paths: Restrict file access to predefined directories or file types.
• Use Secure File Serving Libraries: Employ frameworks such as Flask or Express with built-in security middleware.
• Enable Logging and Monitoring: Track unusual file access patterns and block repeated attempts.

Corrected Code Example (Python)

Here is a secure implementation of file serving logic that prevents directory traversal:

import os
from pathlib import Path

def serve_file(request_path, base_dir):
    # Normalize the path and ensure it's within base_dir
    full_path = Path(base_dir) / Path(request_path).resolve()
    
    # Check if the path is within the base directory
    if not full_path.is_relative_to(base_dir):
        raise PermissionError("Access denied: path traversal detected")
    
    if not full_path.exists():
        raise FileNotFoundError("File not found")
    
    return open(full_path, 'rb').read()

Explanation: This code uses Path.resolve() to normalize the path and is_relative_to() to verify that the final path is contained within the designated base_dir. If the path attempts to escape the base directory (e.g., via ../), the request is denied with a PermissionError.

Conclusion

CVE-2023-37474 highlights a critical flaw in a seemingly simple tool. Even lightweight applications like Copyparty must adhere to robust security practices. The directory traversal vulnerability underscores the importance of input validation, path normalization, and access control—even in minimalist software.

Users of Copyparty are strongly advised to upgrade to version 1.8.2 or later, where the vulnerability has been patched. Security professionals should treat such vulnerabilities as a reminder: no application is too small to be secure.