Request with a potential harmful query string

duittenb · May 22, 2025, 1:13pm

Just found this line in the logs:

2025-05-22 11:18:08.055 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /pms?module=logging&file_name=../../../../../../~/.aws/credentials&number_of_lines=10000

How could I find out which code caused this error?
It does look rather suspicious for code to access aws credentials “traversing” up the folder structure.

Setup: HA on Raspberry with only NabuCasa for outside access.
There was no strange CPU activity around that time.
There were no strange entries in the logs or log-book.

tom_l · May 22, 2025, 2:49pm

It is someone attempting an exploit that was patched a long time ago. They can no longer do any harm with it.

The only way to prevent it happening is to not rely on port forwarding for your remote access. Did you used to use DuckDNS?

If so remove the port forwarding rules you used to use.

If not, then they have looked up your Nabu casa URL.

You could block all traffic from the originating address in your router but there really is nothing to worry about. That exploit does not work any more.

duittenb · May 23, 2025, 1:42pm

I appreciate your quick response Tom!

Portforwarding has not been used for DuckDNS or HA.
The only portforwarding is to my VPN router and that has traffic that is only used by my phone and laptop + no access to HA in the ‘IoT’ VLAN. In my view that leaves 2 options:

Through the nabucasa URL
From within my local network?

#1__ I have requested my nabucasa URL to be randomly updated (if that’s possible)

#2__ How could I find out what tried to do this from internal? For now I have set the homeassistant.components.http.security_filter to debug. Maybe that will spit out something.

You could block all traffic from the originating address in your router but there really is nothing to worry about. That exploit does not work any more.

The thing is that this was an exploit that doesn’t work anymore but which are?

tom_l · May 23, 2025, 2:53pm

Your Nabu casa url is not secret. Anyone can look it up.

Just ignore the intrusion attempt. You’re connected to the big bad internet. These things are going to happen. Nothing to get worked up about.

jim_os · June 2, 2025, 8:59am

Dto.

Logger: homeassistant.components.http.security_filter
Quelle: components/http/security_filter.py:81
Integration: HTTP (Dokumentation, Probleme)
Erstmals aufgetreten: 07:23:59 (1 Vorkommnis)
Zuletzt protokolliert: 07:23:59

Filtered a request with a potential harmful query string: /pms?module=logging&file_name=../../../../../../~/.aws/credentials&number_of_lines=10000

In about 5 years of using HA, I have never seen a message like this.

I don’t use port forwarding, just Nabu Casa, so I’ll ignore this warning.

tom_l · June 2, 2025, 10:04am

I used to see this quite a lot when using DuckDNS and port forwarding. Maybe a couple of times a week. I have not seen it since switching to Nabu Casa but that does not mean it can’t happen. It just means the script kiddie attempting the attack can’t use port scanning tools and has to look up the Nabu Casa security certificates to find you.

jim_os · June 2, 2025, 12:31pm

I’ve been using Nabu Casa exclusively for about four years now, and as I said, this is the first time I’ve seen this warning. It’s clear that some script kiddies are constantly scouring the internet for vulnerabilities, but I was a little surprised that @duittenb posted the same thing here a few days ago. Precisely because I’ve never seen a warning like this with Nabu Casa before. But it’s probably just a coincidence.