Headline

GHSA-h5gf-cmm8-cg7c: CasaOS-UserService allows unauthorized access to any file

Summary

http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/1/avatar.png

Originally it was to get the url of the user’s avatar, but the path filtering was not strict, making it possible to get any file on the system.

Details

Construct paths to get any file.

Such as the CasaOS user database, and furthermore can obtain system root privileges.

PoC

http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/conf/…/db/user.db

Impact

v0.4.6 all previous versions

10 months ago

ghsa

Open in Source

#git #auth

Package

gomod github.com/IceWhaleTech/CasaOS-UserService (Go)

Affected versions

< 0.4.7

Patched versions

0.4.7

Description

Summary

http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/1/avatar.png

Originally it was to get the url of the user’s avatar, but the path filtering was not strict, making it possible to get any file on the system.

Details

Construct paths to get any file.

Such as the CasaOS user database, and furthermore can obtain system root privileges.

PoC

http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/conf/…/db/user.db

Impact

v0.4.6 all previous versions

References

GHSA-h5gf-cmm8-cg7c
IceWhaleTech/CasaOS-UserService@3f4558e
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

tigerinus published to IceWhaleTech/CasaOS-UserService

Mar 6, 2024

Published to the GitHub Advisory Database

Mar 6, 2024

Reviewed

Mar 6, 2024

ghsa: Latest News

GHSA-mm6v-68qp-f9fw: Crayfish allows Remote Code Execution via Homarus Authorization header

7 hours ago

ghsa

GHSA-c873-wfhp-wx5m: SP1 has missing verifier checks and fiat-shamir observations

8 hours ago

ghsa

GHSA-7pq6-v88g-wf3w: Sentry's improper authentication on SAML SSO process allows user impersonation

8 hours ago

ghsa

GHSA-2c6g-pfx3-w7h8: Insecure Temporary File in RESTEasy

10 hours ago

ghsa

GHSA-5m7j-6gc4-ff5g: Mattermost fails to properly validate post props

11 hours ago

ghsa