Skip to content

Listing of upload directory contents possible

ThomasLeister published GHSA-qmfx-75ff-8mw6 Jan 8, 2020
Severity
high
Affected versions
< 1.0.1
Patched versions
>= 1.0.1

There's an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.

An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ (or the corresponding user defined root dir)

Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.


If you're using the alternative Nginx configuration to let Nginx serve static files, make sure to set autoindex off; in your config:

location /upload/ {
        if ( $request_method = OPTIONS ) {
                [...]
        }

        root /home/prosody-filer;
        autoindex off;
        [...]
    }

You can’t perform that action at this time.