Closed YamiOdymel closed 1 month ago
This also affects ARM64 on v3.1.0. I am able to reproduce this on my setup.
@krosseyed No worry, this API require authentication before access and this do not pose an immediate security risk to Zoraxy. This will be fixed in the next release.
Ah, I see access is denied to that URL after logging out. I do have to log in to get traversal to /etc/passwd, and I do not expose Zoraxy directly to the internet.
Thanks for being proactive on this @tobychui and I really enjoy using this software!
For the future maybe it would be better to not post it publicly? :D
For the future maybe it would be better to not post it publicly? :D
I did feel sorry and private messaged @ tobychui to talk about this 💀💀
I'll be more careful next time to avoid any concerns
Patched
Describe the bug
A logged in User can access
/etc/passwd
with Web Directory Manager in Static Web ServerTo Reproduce
Static Web Server
tab.index.html
in theWeb Directory Manager
section.http://localhost:8000/api/fs/download?file=/index.html&preview=true
appeared.http://localhost:8000/api/fs/download?file=/../../../../../../../../../../../etc/passwd&preview=true
.Expected behavior
It should return
file not found
because it is out of bounds.Screenshots
Host Environment (please complete the following information):
Additional context
Steps provided in Golang Path Traversal Guide: Examples and Prevention
filepath.Clean()
.filepath.EvalSymlinks()
.filepath.Dir()
.