What happened?

Path travelsal is existing in HTTP api POST http://xxx.xxx.xxx.xxx:xxx/api/v4/data/file/
if the filename parameter is …/…/…/test, the attacker could write malicious file anywhere, to investigate it deeply, if the plugin schema file was replaced, while "os:cmd(“echo 12345678 > hacked.txt”)" can be added, then attacker can execute malicious command by click the plugin load button or trigger related http api.

Of course attacker should login to the dashboard first. It could be came true if someone use a weak password or old version default password is used.

What did you expect to happen?

fix the path travelsal issue

How can we reproduce it (as minimally and precisely as possible)?

No response

Anything else we need to know?

No response

EMQX version

$ ./bin/emqx_ctl broker ALL VERSION!!!

OS version

# On Linux: $ cat /etc/os-release

paste output here

$ uname -a

paste output here

On Windows:

C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture

paste output here

Log files