motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read

Description

### Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. ### Details The issue exists in the media playback and download functionality. The filename parameter is passed to `mediafiles.get_media_path()`: ```python def get_media_path(camera_config, path, media_type): target_dir = camera_config.get('target_dir') full_path = os.path.join(target_dir, path) return full_path ``` When path is an absolute path (e.g. `/etc/motioneye/motion.conf`), Python's `os.path.join()` discards `target_dir` entirely and returns the absolute path as-is. This would normally be caught by Tornado's StaticFileHandler path validation, but MoviePlaybackHandler explicitly overrides both safety checks (`movie_playback.py` lines 111-115): ``` def get_absolute_path(self, root, path): return path def validate_absolute_path(self, root, absolute_path): return absolute_path ``` This allows reading any file on the filesystem that the motionEye process can access. The same path traversal exists in the movie download, picture download, and picture preview handlers: - GET /movie/<camera_id>/download/<filename> - GET /picture/<camera_id>/download/<filename> - GET /picture/<camera_id>/preview/<filename> # PoC ``` GET /movie/1/playback//etc/motioneye/motion.conf HTTP/1.1 Host: target:8765 ``` # Fix Do not allow absolute paths supplied by user input. Validate that the fully resolved canonical path remains within the configured camera media directory before serving a file. Additionally, Tornado’s built-in path validation should not be bypassed unless equivalent validation is performed by motionEye.

Affected Packages (1)