Sahi pro is a application automation tool which is quite popular among automation testers . (https://sahipro.com/ ) Being a former automation tester who transitioned to penetration testing, who also heavily relied on sahi pro for day to day automation activities, An idea raced in my mind to combine both and start hunting for some security bugs in their products. And here is one of the issue that i found in their product.
sahi pro has some interesting features such as web reporting interface and web editor which combined and forms report module which aggregates all the automated test execution / suite . It was found that we can view the source code of any sahi file in the editor to check debug logs, where it highlights failed line or execution flow etc
report interface url can be found at the following location :
In the web editor module , it was observed that there exists a directory traversal vulnerability which allows any user on the same network to view any files on the victim machine running sahi pro automation software. sahi pro allows users to restrict file access for scripts in their configuration file, but this particular module seems to be vulnerable due to lack of server side validations.
Proof of concept :
Fig 1 : shows the reports module which displays and highlights the source code of sahi script file for debugging .
here the get parameter href is vulnerable to directory traversal(can also include remote files to cause Denial of service on victim browser)
Here href get parameter is referring to location :
href=scripts/csv_injection_demo.sah
if its modified to href=../../supersecret/password.txt , contents of crucial internal files of the victim machine.
Fig 2 : vulnerable to directory traversal.
another snapshot which disclose contents of win.ini file
Fig 3 : vulnerable to directory traversal.
URL vulnerable :
http://<ip>:<port>/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected
Disclosure timeline :
Notified on : 8 / December / 2018
suggested quick fix till the official patch is released : password protect web reports module
Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )
vendor website : https://sahipro.com/