Path Traversal in filegator/filegator

Valid

Reported on

May 22nd 2022

🔒️ Requirements

Privilege: User

📝 Description

File path isn't properly sanitized and allow ..\.

🕵️‍♂️ Proof of Concept

Listing other user folder content

First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/:

PT_1.png

From this, change folder using path traversal via cd parameter:

PT_2.png

As you can see, we are able to view folder content.

Write file

First, create a user with Read and Write privileges and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/. From here create a new file named ..\test.txt and then go to the root folder with another account:

PT_4.png

You will see that the file was created outside of the test user's folder limitation.

PS: Note that the same could be done to all features in the file https://github.com/filegator/filegator/blob/642bb273334207359166d48b6c719a89e98a0676/backend/Controllers/FileController.php due to:

$this->separator

Impact

An attacker can use path traversal to:

  • List files in folder that he shouldn't access.
  • Write|Move|Copy|... files in a folder that the current user hasn't the rights for.

References

We are processing your report and will contact the filegator team within 24 hours. a year ago
We have contacted a member of the filegator team and are waiting to hear back a year ago
Milos Stojanovic validated this vulnerability a year ago
Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Milos Stojanovic marked this as fixed in 7.8.0 with commit 6e2b68 a year ago
Milos Stojanovic has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation