Headline
CVE-2023-43662: GHSL-2023-191: Arbitrary File Read
ShokoServer is a media server which specializes in organizing anime. In affected versions the /api/Image/WithPath
endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath
, which is not sanitized in any way before being passed to System.IO.File.OpenRead
, which results in an arbitrary file read. This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server. The /api/Image/WithPath
endpoint has been removed in commit 6c57ba0f0
which will be included in subsequent releases. Users should limit access to the /api/Image/WithPath
endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.
GitHub Security Lab (GHSL) Vulnerability Report, ShokoServer: GHSL-2023-191
The GitHub Security Lab team has identified a potential security vulnerability in ShokoServer.
We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at [email protected] (please include GHSL-2023-191 as a reference).
If you are NOT the correct point of contact for this report, please let us know!
Summary
An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.
Product
ShokoServer
Tested Version
v4.2.2
Details****/api/Image/WithPath arbitrary file read (GHSL-2023-191)
The /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way before being passed to System.IO.File.OpenRead, which results in an arbitrary file read.
[HttpGet(“WithPath/{serverImagePath}”)] public object GetImageUsingPath(string serverImagePath) { if (!System.IO.File.Exists(serverImagePath)) { logger.Trace("Could not find AniDB_Cover image: {0}", serverImagePath); return NotFound(); }
Response.ContentType \= Mime.GetMimeMapping(serverImagePath);
return System.IO.File.OpenRead(serverImagePath);
}
Impact
This issue may lead to Arbitrary File Read. The windows installer installs the ShokoServer as administrator, so any unauthenticated attacker may be able to access sensitive information and read files stored on the server.
Remediation
- Ensure that the user input serverImagePath is within the expected path by first calling fullPath = System.IO.Path.GetFullPath(serverImagePath)
- Call fullPath.StartsWith(basePath), where basePath represents the folder that the images should be stored in.
Resources
In order to exploit this vulnerability on Windows, run curl http:/shokoserever.domain/api/Image/withpath/C:\Windows\secret.txt, where shokoserever.domain is your ShokoServer instance. This will return the contents of C:\Windows\secret.txt. Browsers will auto convert \ to / so use a tool like curl or a proxy to ensure the path is correct.
This vulnerability was found with the help of CodeQl’s Path Injection Query.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at [email protected], please include a reference to GHSL-2023-191 in any communication regarding this issue.
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.