Description
uWSGI is a software application that "aims at developing a full stack for building hosting services".
The uWSGI PHP plugin before 2.0.17 is vulnerable to Path Traversal Vulnerability when used without specifying the php-allowed-docroot option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via php-docroot.
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences (..%2f).
Remediation
Upgrade to the latest version uWSGI. This vulnerability was fixed in uWSGI version 2.0.17.
References
Related Vulnerabilities
WordPress Plugin Add From Server Directory Traversal (3.3.3)
WordPress Plugin DMSGuestbook Multiple Remote Vulnerabilities (1.8.0)
WordPress Plugin Gmedia Photo Gallery Multiple Vulnerabilities (1.6.4)
WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Directory Traversal (1.3.33)
WordPress Plugin Tinymce Thumbnail Gallery 'href' Parameter Information Disclosure (1.0.7)