search

ziahamza / webui-aria2

The aim for this project is to create the worlds best and hottest interface to interact with aria2. Very simple to use, just download and open index.html in any web browser.
MIT License
9.92k stars 1.47k forks source link

High severity security issue #599

Open JafarAkhondali opened 2 years ago

JafarAkhondali commented 2 years ago

Hi, I've found a high severity security issue in this project.
Please draft a security issue here: https://github.com/ziahamza/webui-aria2/security/advisories/new (I don't have permission) and add me as collaborator, so I can fill details and even help in patching it.

JafarAkhondali commented 1 year ago

Due to no response: CVE-2023-39141 have been reserved for this vulnerability.

Vulnerability type: Path traversal

Root cause: This line https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10 accepts file name from URL input, without sanitizing it to be in the same directory.

PoC: When node-server.js is used, an attacker can simply request files outside the serving path curl --path-as-is http://localhost:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd

Root cause: Attacker may read any file that the www user can read.

Vulnerable versions: Right now all versions even latest commit "109903f0e2774cf948698cd95a01f77f33d7dd2c" are vulnerable.