Summary
Manyfold allows authenticated users to rename uploaded files using path traversal sequences.
The filename field is user-controlled and later used in filesystem paths without proper sanitization:
File.join(model.path, filename)
By renaming a file to:
the application writes the file outside the configured library directory.
PoC
- Upload a valid model file.
- Rename it to:
- Save changes.
- Inside the container:
find / -name outside.stl 2>/dev/null
Result:
Impact
Authenticated users able to edit files can write/move files outside the intended storage directory.
Summary
Manyfold allows authenticated users to rename uploaded files using path traversal sequences.
The
filenamefield is user-controlled and later used in filesystem paths without proper sanitization:By renaming a file to:
the application writes the file outside the configured library directory.
PoC
find / -name outside.stl 2>/dev/nullResult:
Impact
Authenticated users able to edit files can write/move files outside the intended storage directory.