LFI / Path Traversal allows attacker to read any file in the working directory in szabodanika/microbin

Valid

Reported on

Jul 14th 2022


Description

The file upload functionality allows a user to attach a file to a paste. When an attacker views the attached file he can alter the path (e.g. via burpsuit) and read any file in the working directory via the relative path. This also accounts for private pastes. The attacker needs information on the file name, however the database.json file is always located at ../database.json and contains information on all pastes. This can cause the application data to be compromised.

To fix this, filtering out the dots should be enough.

Proof of Concept

Use burp to intercept the GET Request to /file/foo-bar-test/file.txt and change it to /file/../database.json This will get the file contents of the database.

Impact

Reveal any data within the servers working directory.

We are processing your report and will contact the szabodanika/microbin team within 24 hours. 20 days ago
ablgh modified the report
20 days ago
We have contacted a member of the szabodanika/microbin team and are waiting to hear back 16 days ago
We have sent a follow up to the szabodanika/microbin team. We will try again in 7 days. 13 days ago
We have sent a second follow up to the szabodanika/microbin team. We will try again in 10 days. 6 days ago
Dániel Szabó validated this vulnerability 3 days ago
ablgh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Dániel Szabó confirmed that a fix has been merged on 05941f 3 days ago
Dániel Szabó has been awarded the fix bounty
Dániel Szabó gave praise 3 days ago
This has been addressed by isolating database.json from the served files
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation