Aural-Alliance / FurryMusicDB

The Furry Musicians Database
https://furrymusicians.info
Apache License 2.0
5 stars 1 forks source link

Lfi via /api/artists endpoint #26

Closed molangning closed 8 months ago

molangning commented 8 months ago

Currently there is a way to include a file using directory traversal

Vulnerable path

/api/artist/{random-artist-id}\..\..\{target path}/art-1709773367.jpg

Example to get file through lfi:

curl "https://furrymusicians.info/api/artist/random\..\..\labels\1eedc13d-1a3f-6ed8-a3a8-6710d4c4554b/art-1709773367.jpg" --output temp.jpg

This vulnerbility is dangerous as it can be chained with other attacks to achieve rce.

One of the ways to migrate this vulnerability can be by passing the path through realpath, checking file type at path, or by terminating the request if there is double dots (..) in artist_id.

BusterNeece commented 8 months ago

@molangning So my assumption here was that the Flysystem filesystem abstraction library would mitigate against this, and after looking through the relevant code, it turns out I'm correct in that assumption, but only when traversing outside the volume managed by Flysystem itself.

In this case, what that means is that you could load other user-uploaded images provided you know their unique identifiers (like the example), but if you were to traverse outside the user-uploaded content volume (i.e. to try to traverse to /etc/passwd), this would not be possible and would yield an exception.

Rather than try to implement more code on top of Flysystem's existing traversal detection code, I consider this specific level of traversal to be completely acceptable, since the only visible content would be publicly visible content anyway.