CVE-2022-25377: 
PHP vulnerability analysis and mitigation

The ACME-challenge endpoint in Appwrite versions 0.5.0 through 0.12.x before 0.12.2 contained a Local File Inclusion (LFI) vulnerability that allowed remote attackers to read arbitrary local files via directory traversal. The vulnerability was discovered in December 2021 and was fixed in version 0.12.2 released on February 11, 2022 (Dubell Blog, GitHub Release).

The vulnerability existed in the /.well-known/acme-challenge endpoint's path validation logic. The issue stemmed from an incorrect check '!\substr($absolute, 0, \strlen($base)) === $base' which inverted the result of substr, causing the path validation to be bypassed. This allowed attackers to use ../ directory traversal sequences to access files outside the intended directory. The vulnerability was exploitable when the path APP_STORAGE_CERTIFICATES/.well-known/acme-challenge existed on disk, which would be automatically created if the user chose to install let's encrypt certificates via Appwrite (Dubell Blog).

The impact was severe as it allowed reading arbitrary local files on the system. If PHP was running as root (as in the provided docker environment), an attacker could read any system file including sensitive files like /etc/shadow, /etc/passwd, private SSH keys, private certificate keys, .bash-history, local Appwrite cache files, and configuration files containing secrets such as database credentials in /proc/self/environ (Dubell Blog).

The vulnerability was fixed in Appwrite version 0.12.2. Users should upgrade to this version or later to mitigate the issue. The fix involved correcting the path validation logic in the ACME-challenge endpoint (GitHub Release).