Listen to this Post
The vulnerability exists within the `FsRemove` and `FsCopy` file operation handlers in server/handles/fsmanage.go. The application takes user-supplied filenames from the `req.Names` parameter and concatenates them with a pre-validated base directory path using stdpath.Join. The `stdpath.Join` function is intended to clean paths, but when presented with a filename component containing Directory Traversal sequences like ../../otheruser/file.txt, it naively incorporates them into the final resolved path. This allows an authenticated attacker to inject `..` sequences to escape their designated directory (e.g., /local/alice) and traverse into other users’ directories within the same storage mount (e.g., `/local/` or /local/admin). Consequently, by specifying a malicious filename parameter, an attacker can perform unauthorized file operations such as deletion, copying, or reading of files belonging to any other user on the same storage backend, effectively bypassing the application’s intended directory-level authorization checks.
Platform: Alist File Manager
Version: vX.X.X
Vulnerability: Path Traversal Bypass
Severity: Critical
date: 2024-XX-XX
Prediction: Patch Expected 2024-XX-XX
What Undercode Say:
Simulating malicious request for FsCopy
curl -X POST 'http://target/alist/api/fs/copy' \
-H 'Authorization: Bearer <ALICE_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"src_dir": "/alice",
"dst_dir": "/alice",
"names": ["../../admin/adminsecret.txt"]
}'
// Vulnerable code snippet from fsmanage.go
func FsRemove(c gin.Context) {
// ...
for _, name := range req.Names {
// 'name' containing ".." bypasses restriction
err := fs.Remove(c, stdpath.Join(reqDir, name))
// ...
}
}
How Exploit:
Authenticated attacker injects traversal sequences (../../) into `req.Names` parameter during `FsRemove` or `FsCopy` API calls, targeting known file paths to read or delete files outside their authorized directory scope.
Protection from this CVE:
Sanitize user-input filenames. Validate final resolved path remains within user’s authorized root directory using absolute path checks before filesystem operations.
Impact:
Unauthorized Data Access, Data Destruction, Privilege Escalation within shared storage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

