Headline
CVE-2022-1850: Path Traversal in filegator
Path Traversal in GitHub repository filegator/filegator prior to 7.8.0.
🔒️ Requirements
Privilege: User
📝 Description
File path isn’t properly sanitized and allow …
🕵️♂️ Proof of Concept****Listing other user folder content
First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/:
From this, change folder using path traversal via cd parameter:
As you can see, we are able to view folder content.
Write file
First, create a user with Read and Write privileges and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/. From here create a new file named …\test.txt and then go to the root folder with another account:
You will see that the file was created outside of the test user’s folder limitation.
PS: Note that the same could be done to all features in the file https://github.com/filegator/filegator/blob/642bb273334207359166d48b6c719a89e98a0676/backend/Controllers/FileController.php due to:
$this->separator
Impact
An attacker can use path traversal to:
- List files in folder that he shouldn’t access.
- Write|Move|Copy|… files in a folder that the current user hasn’t the rights for.
Related news
Path Traversal in GitHub repository filegator/filegator prior to 7.8.0 for non-admin users. Files created with `..\` as part of their name will be interpreted as a path. Users are thus able to add filesystem entries outside the scope of their user to their dashboard and subsequently are able to modify those files.