Compliance Impact

This vulnerability allows authenticated administrators to read arbitrary files from the server filesystem, potentially exposing sensitive data such as configuration files and credentials.

Exposure of sensitive data due to unauthorized file access can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Although the vulnerability does not allow file modification or code execution, the confidentiality impact is high, which could result in violations of confidentiality requirements mandated by these standards.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a path traversal flaw in the Halo website building tool versions 2.24.2 and earlier. It occurs in the backup download endpoint, where the system resolves backup filenames without properly validating that the requested file path stays within the designated backups directory.

An authenticated administrator can exploit this by creating a malicious backup with a crafted filename that includes path traversal sequences (e.g., ../../../etc/passwd). When the backup is downloaded, the system reads arbitrary files from the server filesystem outside the intended directory.

The vulnerability arises because the download method does not perform a directory traversal check, even though such a utility exists in the codebase. This allows unauthorized reading of sensitive files on the server.

The issue is fixed in Halo version 2.24.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server filesystem.

• An attacker with administrator authentication can read arbitrary files, including configuration files, credentials, or other sensitive data.
• Although the vulnerability does not allow file modification or code execution, the exposure of confidential data can compromise system security.

The CVSS score of 5.5 reflects a medium severity with a high impact on confidentiality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Halo installation is running a version prior to 2.24.3 and if the backup download endpoint is accessible to authenticated administrators.

To detect exploitation attempts, monitor HTTP GET requests to the backup download endpoint path pattern: /apis/console.api.migration.halo.run/v1alpha1/backups/{name}/files/{filename}.

Look for suspicious filenames in the requests that include path traversal sequences such as "../" or "%2e%2e%2f" which indicate attempts to read arbitrary files.

Example commands to detect such attempts in web server logs (assuming logs are stored in /var/log/halo/access.log):

• grep -E 'GET /apis/console.api.migration.halo.run/v1alpha1/backups/.*/files/.*(\.\./|%2e%2e%2f)' /var/log/halo/access.log
• tail -f /var/log/halo/access.log | grep '/apis/console.api.migration.halo.run/v1alpha1/backups/'

Additionally, verify the Halo version by running the command or checking the application metadata to ensure it is 2.24.3 or later, where this vulnerability is fixed.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Halo to version 2.24.3 or later, where this path traversal vulnerability has been fixed.

If upgrading immediately is not possible, restrict access to the backup download endpoint to only trusted and authenticated administrators.

Implement monitoring and alerting on suspicious requests to the backup download endpoint that contain path traversal patterns.

Review and harden authentication and authorization controls to ensure only legitimate administrators can access backup creation and download features.

Consider temporarily disabling the backup download feature if it is not essential until the patch can be applied.

Useful 0 Not Useful 0