Path Traversal in filegator/filegator
Reported on
May 22nd 2022
🔒️ Requirements
Privilege: User
📝 Description
File path isn't properly sanitized and allow ..\.
🕵️♂️ Proof of Concept
Listing other user folder content
First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/:

From this, change folder using path traversal via cd parameter:

As you can see, we are able to view folder content.
Write file
First, create a user with Read and Write privileges and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/. From here create a new file named ..\test.txt and then go to the root folder with another account:

You will see that the file was created outside of the test user's folder limitation.
PS: Note that the same could be done to all features in the file https://github.com/filegator/filegator/blob/642bb273334207359166d48b6c719a89e98a0676/backend/Controllers/FileController.php due to:
$this->separator
Impact
An attacker can use path traversal to:
- List files in folder that he shouldn't access.
- Write|Move|Copy|... files in a folder that the current user hasn't the rights for.