Path Traversal in svenstaro/miniserve
May 4th 2021
The file upload feature in miniserver is vulnerable to path traversal vulnerability. An attacker can upload a file with "../" in the filename and the web server will then upload the file outside of the directory scope allowing path traversal.
The severity of this security issue increases if the user enables
--overwrite-files flag as that can allow an attacker to even overwrite existing files anywhere in the whole server.
🕵️♂️ Proof of Concept
- Run the miniserver binary with
- Access the web address in a web browser (default port is 8080).
- Upload a dummy file
- Intercept the upload request using a proxy tool such as Burp Suite.
- Modify the filename parameter and add "../" into it as a prefix.
- Forward the upload request.
The file will be successfully uploaded in a backward directory. This proves path traversal in upload functionality. An attacker can use multiple dot-dot-slash's to upload/overwrite files inside any directory of the server.
Video proof of concept - https://drive.google.com/file/d/1SSYIN5udgy37OcQ6A8-MNquPM0SQ3rLY/view?usp=sharing
This vulnerability is capable of allowing an attacker to upload files outside of the directory scope (from where the miniserver binary started) and even overwrite existing files if overwrite flag is enabled. This can harm the integrity of the files in the server.