Skip to content

Listing of upload directory contents possible

High severity GitHub Reviewed Published Jan 8, 2020 in ThomasLeister/prosody-filer • Updated Jan 9, 2023

Package

gomod github.com/ThomasLeister/prosody-filer (Go)

Affected versions

< 1.0.1

Patched versions

1.0.1

Description

There's an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.

An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ (or the corresponding user defined root dir)

Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.

References

Reviewed May 24, 2021
Published to the GitHub Advisory Database May 27, 2021
Last updated Jan 9, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-qmfx-75ff-8mw6

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.