Improper Authorization in liukuo362573/yishaadmin

Valid

Reported on

Jan 24th 2022


Description

When downloading files using the /admin/File/DownloadFile?filePath= URI, you're able to download any file you want, as long as you know the path of the file, even as an unauthenticated user.

This means that an unauthenticated user could download the /etc/passwd/ file or any file that they know the path to. This could lead to sensitive data leaking to unauthenticated and unauthorized users.

But it should be noted that by downloading the file, the file is also deleted right after it is downloaded so this is also a way an attacker can delete sensitive/vital files from the web server and cause a Denial of Service (DoS) attack on the web server.

An example URL would be:

106.14.124.170/admin/File/DownloadFile?filePath=../../../../../../../../../../../../../../../../../etc/crontab

Proof of Concept

As an unauthenticated user, make a GET request to: 106.14.124.170/admin/File/DownloadFile?filePath=../../../../../../../../../../../../../../../../../etc/crontab

Impact

This vulnerability is capable of exposing sensitive data to both unauthenticated & unauthorized users. It can also be used to delete vital server files in order to cause a denial of service attack on the server.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
1d8 modified the report
4 months ago
We have sent a follow up to the liukuo362573/yishaadmin team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the liukuo362573/yishaadmin team. We will try again in 10 days. 4 months ago
liukuo362573 validated this vulnerability 4 months ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on c3b66e 4 months ago
The fix bounty has been dropped
to join this conversation