tobychui / zoraxy

A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
https://zoraxy.aroz.org
GNU Affero General Public License v3.0
2.94k stars 180 forks source link

[BUG] Path Traversal Vulnerability with Static Web Server #274

Closed YamiOdymel closed 1 month ago

YamiOdymel commented 3 months ago

Describe the bug

A logged in User can access /etc/passwd with Web Directory Manager in Static Web Server

To Reproduce

  1. Go to the Static Web Server tab.
  2. Click on index.html in the Web Directory Manager section.
  3. The URL http://localhost:8000/api/fs/download?file=/index.html&preview=true appeared.
  4. Replace it with http://localhost:8000/api/fs/download?file=/../../../../../../../../../../../etc/passwd&preview=true.

Expected behavior

It should return file not found because it is out of bounds.

Screenshots

image

Host Environment (please complete the following information):

Additional context

Steps provided in Golang Path Traversal Guide: Examples and Prevention

krosseyed commented 3 months ago

This also affects ARM64 on v3.1.0. I am able to reproduce this on my setup.

tobychui commented 3 months ago

@krosseyed No worry, this API require authentication before access and this do not pose an immediate security risk to Zoraxy. This will be fixed in the next release.

krosseyed commented 3 months ago

Ah, I see access is denied to that URL after logging out. I do have to log in to get traversal to /etc/passwd, and I do not expose Zoraxy directly to the internet.

Thanks for being proactive on this @tobychui and I really enjoy using this software!

klisza1993 commented 2 months ago

For the future maybe it would be better to not post it publicly? :D

YamiOdymel commented 2 months ago

For the future maybe it would be better to not post it publicly? :D

I did feel sorry and private messaged @ tobychui to talk about this 💀💀

I'll be more careful next time to avoid any concerns

tobychui commented 1 month ago

Patched