Path Traversal in svenstaro/miniserve

Valid

Reported on

May 4th 2021


✍️ Description

The file upload feature in miniserver is vulnerable to path traversal vulnerability. An attacker can upload a file with "../" in the filename and the web server will then upload the file outside of the directory scope allowing path traversal.

The severity of this security issue increases if the user enables --overwrite-files flag as that can allow an attacker to even overwrite existing files anywhere in the whole server.

🕵️‍♂️ Proof of Concept

  1. Run the miniserver binary with ./miniserver -u
  2. Access the web address in a web browser (default port is 8080).
  3. Upload a dummy file
  4. Intercept the upload request using a proxy tool such as Burp Suite.
  5. Modify the filename parameter and add "../" into it as a prefix.
  6. Forward the upload request.

The file will be successfully uploaded in a backward directory. This proves path traversal in upload functionality. An attacker can use multiple dot-dot-slash's to upload/overwrite files inside any directory of the server.

Video proof of concept - https://drive.google.com/file/d/1SSYIN5udgy37OcQ6A8-MNquPM0SQ3rLY/view?usp=sharing

💥 Impact

This vulnerability is capable of allowing an attacker to upload files outside of the directory scope (from where the miniserver binary started) and even overwrite existing files if overwrite flag is enabled. This can harm the integrity of the files in the server.

Sven-Hendrik Haase validated this vulnerability 3 months ago
Ritik Sahni has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sven-Hendrik Haase confirmed that a fix has been merged on 699e17 3 months ago
Sven-Hendrik Haase has been awarded the fix bounty