CVE-2024-53991 Scanner

Discourse is a widely used open-source platform for online community discussions. It is used by businesses, educational institutions, and open-source communities to facilitate structured and asynchronous conversations. The platform supports various integrations, plugins, and features such as user moderation, badges, and gamification. It can be hosted on-premises or through managed services, providing flexibility for different types of deployments. Discourse uses a combination of Ruby on Rails and Ember.js for its backend and frontend, ensuring a modern web experience. Users leverage Discourse for forums, Q&A platforms, and internal team communication.

This vulnerability affects Discourse instances that are configured to use `FileStore--LocalStore`, meaning backups and uploads are stored locally. If an attacker can determine the name of a Discourse backup file, they can exploit a misconfiguration in Nginx to retrieve it. This flaw allows unauthorized access to sensitive backup files, potentially exposing user data and other confidential information. The attack does not require authentication, increasing its severity. The flaw arises from how Nginx processes requests with specific headers and mappings. This issue is considered a high-risk vulnerability due to the potential for data exposure.

The vulnerability is triggered when an attacker crafts a request that manipulates Nginx's handling of backup file locations. Specifically, the misconfiguration allows requests with certain headers, such as `X-Accel-Redirect`, to bypass normal access restrictions. If a backup file’s name is known, Nginx can be tricked into serving it directly. The vulnerability relies on the presence of the `X-Accel-Mapping` directive, which maps internal locations to external paths. When this mapping is misconfigured, backup files stored in `/downloads/backups/default/` can become accessible. The affected endpoint lacks proper authorization checks, leading to the exposure of sensitive files.

Exploitation of this vulnerability can result in unauthorized access to backup files containing user data, system configurations, and other critical information. Attackers may extract credentials, personal user details, and internal system settings from exposed backup files. This could lead to further attacks, such as account takeovers, privilege escalation, or lateral movement within an organization’s infrastructure. The disclosure of sensitive data also poses compliance risks, especially for organizations subject to data protection regulations. If exploited at scale, this vulnerability could significantly compromise the security and integrity of Discourse instances.

REFERENCES

• https://projectdiscovery.io/blog/discourse-backup-disclosure-rails-send_file-quirk/
• https://github.com/discourse/discourse/security/advisories/GHSA-567m-82f6-56rv