Arbitrary file deletion in Gitea in go-gitea/gitea
Mar 12th 2022
When user delete the LFS data in Gitea, the
oid parameter is not been validated. The attacker can make an oid whose prefix is
.... to traverse directory and delete any files on the server.
Proof of Concept
Create a repository on Gitea. (e.g.
Send a POST request with your Gitea cookies and set CSRF token in request body.
The Gitea configuration
custom/conf/app.ini has been deleted.
This vulnerability is capable of deleting the files on the server, which allows the attacker to make the service unavailable. With deleting the Gitea configuration file, the attacker can reinstall the entire program after restarting.