uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root.
Impact
If Algernon is ran as root (not recommended) and set up for file upload, and does not have safeguards in place in the Lua source code provided by the user, then files may be uploaded to /tmp or nearly anywhere on the system.
If Algernon is set up with good systemd service file, the problem is limited to writing to files in ie /home/algernon.
Algernon comes with example systemd service files.
Patches
Has been patched in version 1.17.6.
Workarounds
Use a stricter systemd service file. Adding extra checks in connection with file uploads might also help, but upgrading is recommended.
References
#172
KatrielMoses Reporter
uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root.
Impact
If Algernon is ran as root (not recommended) and set up for file upload, and does not have safeguards in place in the Lua source code provided by the user, then files may be uploaded to /tmp or nearly anywhere on the system.
If Algernon is set up with good systemd service file, the problem is limited to writing to files in ie
/home/algernon.Algernon comes with example systemd service files.
Patches
Has been patched in version 1.17.6.
Workarounds
Use a stricter systemd service file. Adding extra checks in connection with file uploads might also help, but upgrading is recommended.
References
#172