Closed gafea closed 2 years ago
tobychui
commented
2 years ago Thanks for your bug report. This seems to be a really critical bug and I will see if I can fix it within this week. My guess would be the virtual path translation logic got something screwed up, I will look into it later tonight. @yeungalan can you check if you can reproduce this on your nightly build as well?
yeungalan
commented
2 years ago Yes I am able to recreate this bug
tobychui
commented
2 years ago Patch has been released with v1.121
gafea
commented
2 years ago // Big thanks for your imminent response to the issue! // However rushed patches often causes more problems doesn't it ๐
Describe the (new) bug Any user, whether admin or not, can utilize directory traversal attack to access all users' files and folders placed in files/users/ without having their passwords.
To Reproduce Steps to reproduce the behavior:
Start any acc's devtool and POST to [domain]/system/file_system/listDir with dir=user:../ will return a list of existing accounts saved on the server
I am currently signed in with 'ga', POSTing with dir=user:../fea/Desktop/ returns the folder of user 'fea' without any headaches
Accessing files with /media/ API also works
Host Information(please complete the following information):
Maybe you can try mitigate the possibility of phasing any string between user: and the first slash? Like changing the return value of user: from files/users/gafeato files/users/gafea/ and remove the starting slash from apps calling the API. I did see you trying to mitigate directory traversal in the codebase so user:/../ doesn't work. This is a fantastic project and keep your passion!
tobychui
commented
2 years ago Ok, it seems this bug will stick around for a while. Let me re-open this and try to figure out a better solution to fix it. (เนยดใ `)
tobychui
commented
2 years ago Hi @gafea, You mind testing with the latest patch to see if it has been resolved? (You might need to build from source as I didn't create a release for this experimental patch).
From my testing it seems this time all directory traversal is blocked. I am also asking our coauthors to help test things out. Thank you so much for your time and effort to help make arozos a safer system :)
gafea
commented
2 years ago That patch looks good to me ๐๐ป
Edit: It should be reminded that trying to access files with two dots in it's filename is also blocked by this screening ๐
tobychui
commented
2 years ago That patch looks good to me ๐๐ป
Edit: It should be reminded that trying to access files with two dots in it's filename is also blocked by this screening ๐
Nice to know! Now I am closing this issue and will be releasing the 1.121v3 later.
Describe the bug Any user, whether admin or not, can access other users' files and folders that starts with their username placed in files/users/ without having their passwords, given that they already knows the victim's username.
For example, a user with username 'ga' can access any files of user 'gafea' or 'gajdnfhgioasdhf'
To Reproduce Steps to reproduce the behavior:
Having an admin account, in my case my username will be 'gafea'
Create a file on desktop, e.g. a text file called 'secret.txt', type something and save it
Create a user with username that starts with my username, e.g. 'ga'. Having admin permission or not is not important
Start another browser or go incognito and sign into the new account just created
Start new acc's devtools and POST to
[domain]/system/file_system/listDirwithdir=user:[char diff between victim's username and mine]/, likedir=user:fea/......which returns a JSON of the 'gafea' user root folder! We are looking at 'gafea''s folders from 'ga' account!
When we changes to
dir=user:fea/Desktop/, which returns the files contained in 'gafea''s desktop, we can see that secret.txt is listed too.Using the /media/ api, we can even issue a GET to the secret.txt and read it's content too!
Sidenote: I have only tested on Windows which works and haven't tested on arm or linux yet.
Host Information(please complete the following information):
Client Information(please complete the following information):