Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
Details
server/controllers/FileSystemController.js → checkPathExists() accepts a raw filepath in the request body and passes it straight to fs.pathExists() without ensuring the path is inside any library root.
Any authenticated user with canUpload=true can therefore test the existence of any file on the operating system that the service has access to
PoC
Modify the web request to the /api/filesystem/pathexists with any path on the system outside of the libraries.
For example, I created a test folder in the users/default/desktop dir.
I should not be able to reach this via a web request
{
"filepath":"C:/users/Default/Desktop/Test FOlder"
}
Impact
Information leak of files on the host
Foyerr Reporter
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
Details
server/controllers/FileSystemController.js → checkPathExists() accepts a raw filepath in the request body and passes it straight to fs.pathExists() without ensuring the path is inside any library root.
Any authenticated user with canUpload=true can therefore test the existence of any file on the operating system that the service has access to
PoC
Modify the web request to the /api/filesystem/pathexists with any path on the system outside of the libraries.
For example, I created a test folder in the users/default/desktop dir.
I should not be able to reach this via a web request
{
"filepath":"C:/users/Default/Desktop/Test FOlder"
}
Impact
Information leak of files on the host