uWSGI Path Traversal vulnerability

  • uWSGI is a software application that "aims at developing a full stack for building hosting services".

    The uWSGI PHP plugin before 2.0.17 is vulnerable to Path Traversal Vulnerability when used without specifying the php-allowed-docroot option.

    The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via php-docroot.

    A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences (..%2f).
  • Upgrade to the latest version uWSGI. This vulnerability was fixed in uWSGI version 2.0.17.