Arbitrary file deletion in Gitea in go-gitea/gitea

Valid

Reported on

Mar 12th 2022


Description

When user delete the LFS data in Gitea, the oid parameter is not been validated. The attacker can make an oid whose prefix is .... to traverse directory and delete any files on the server.

Proof of Concept

Create a repository on Gitea. (e.g. foo/bar)

Send a POST request with your Gitea cookies and set CSRF token in request body.

POST /foo/bar/settings/lfs/delete/....%2fcustom%2fconf%2fapp.ini

The Gitea configuration custom/conf/app.ini has been deleted.

Impact

This vulnerability is capable of deleting the files on the server, which allows the attacker to make the service unavailable. With deleting the Gitea configuration file, the attacker can reinstall the entire program after restarting.

We are processing your report and will contact the go-gitea/gitea team within 24 hours. 4 months ago
We have contacted a member of the go-gitea/gitea team and are waiting to hear back 4 months ago
We have sent a follow up to the go-gitea/gitea team. We will try again in 7 days. 3 months ago
go-gitea/gitea maintainer
3 months ago

Maintainer


Thanks for this report, we've resolved this in https://github.com/go-gitea/gitea/pull/19072

We are writing the blog post right and and will be crediting your username (and huntr.dev too), please let us know if you'd prefer a different credit other than your username.

E99p1ant
3 months ago

Researcher


Thanks. Could you please use E99p1ant as the credit name? And here is my GitHub profile: https://github.com/wuhan005

go-gitea/gitea maintainer has acknowledged this report 3 months ago
zeripath validated this vulnerability 3 months ago
E99p1ant has been awarded the disclosure bounty
The fix bounty is now up for grabs
zeripath confirmed that a fix has been merged on 49db87 3 months ago
The fix bounty has been dropped
E99p1ant
3 months ago

Researcher


Hi, I noticed that the blog post has been released. It seems like my username is missing in the post. 😂

go-gitea/gitea maintainer
3 months ago

Maintainer


https://gitea.com/gitea/blog/pulls/188 will fix that.

to join this conversation