search

gorilla / sessions

Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.
https://gorilla.github.io
BSD 3-Clause "New" or "Revised" License
2.93k stars 371 forks source link

FilesystemStore is vulnerable to directory traversal attacks #275

Closed neild closed 6 months ago

neild commented 7 months ago

Is there an existing issue for this?

Current Behavior

I'm filing this a public issue, since it has already been disclosed elsewhere.

FilesystemStore uses an unsanitized Session.ID when constructing filenames. The documentation for Session states that ID "should not be used for user data", but I don't see anything in the documentation stating that IDs must not contain path traversal characters.

Path traversal in FilesystemStore is a component of CVE-2024-3400 in Palo Alto VPN (https://unit42.paloaltonetworks.com/cve-2024-3400/), an actively-exploited remote code execution attack. While this presumably stems from a misuse of the Session API, in which attacker-controlled data was used as a Session.ID, this demonstrates that lack of sanitization is quite hazardous.

The Go Vulnerability Database has assigned this the ID https://pkg.go.dev/vuln/GO-2024-2730.

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

mlec1 commented 7 months ago

I think it has been fixed in this MR

https://github.com/gorilla/sessions/pull/274

jaitaiwan commented 6 months ago

That's correc thanks @mlec1