tobychui
[BUG] Path Traversal Vulnerability with Static Web Server
Describe the bug
A logged in User can access /etc/passwd with Web Directory Manager in Static Web Server
To Reproduce
- Go to the
Static Web Servertab. - Click on
index.htmlin theWeb Directory Managersection. - The URL
http://localhost:8000/api/fs/download?file=/index.html&preview=trueappeared. - Replace it with
http://localhost:8000/api/fs/download?file=/../../../../../../../../../../../etc/passwd&preview=true.
Expected behavior
It should return file not found because it is out of bounds.
Screenshots
Host Environment (please complete the following information):
- Arch: amd64
- OS: Ubuntu 22.04 (WSL v2)
- Zoraxy Version: v3.0.9
Additional context
Steps provided in Golang Path Traversal Guide: Examples and Prevention
- Reflect the relative paths to the actual system path with
filepath.Clean(). - Evaluate the symlinks to ensure that files within bounds are not pointing outside of the bound using
filepath.EvalSymlinks(). - Make sure the final path is within a trusted root using
filepath.Dir().
This also affects ARM64 on v3.1.0. I am able to reproduce this on my setup.
@krosseyed No worry, this API require authentication before access and this do not pose an immediate security risk to Zoraxy. This will be fixed in the next release.
Ah, I see access is denied to that URL after logging out. I do have to log in to get traversal to /etc/passwd, and I do not expose Zoraxy directly to the internet.
Thanks for being proactive on this @tobychui and I really enjoy using this software!
For the future maybe it would be better to not post it publicly? :D
I did feel sorry and private messaged @ tobychui to talk about this 💀💀
I'll be more careful next time to avoid any concerns